We plan to deploy Splunk with indexer clustering (with 3 indexers) in our company.
We know the hardware requirements for indexers and search heads, but it's not clear to us what recourses (CPU Cores, RAM, Storage) are needed for Cluster Master, License Master, Deployment Server, Heavy Forwarders, DMC.
Is there any recommendation for these components?
For all the management servers, use the reference hardware of 12GB RAM and 12 cores.
All of these have low disk requirements. Deployment Server and Cluster master has medium cpu and memory requirements. Rest has low cpu/mem requirement.
If Deployment Server will be deploying to more than 50 clients, then it must run on a dedicated instance and One server can safely handles approximately 2000+ polls/minute (Windows) and 10,000 + polls/minute (Linux)
Cluster Master cannot be shared with Indexer or Search heads but can share the roles of Monitoring Console or Deployer, under certain circumstances.
Monitoring console should have dedicated instance so that only administrators can have access to it. But it can run on shared instance with some caveats
Deployer can be deployed on dedicated instance or dedicated deployment server or cluster master node.
The DMC (now called "MC") is just a search head and can be configured as such. Heavy forwarders are indexers that don't store data.
Splunk recommends all instances follow the Hardware Reference. You can get away with much lighter instances, but if you have problems Support may expect you to meet the minimum specs before helping.
You can, however, combine many of the roles into two instances. HFs will always be their own instances, but you can combine any of the others as long as the CM and DS are separate. See https://docs.splunk.com/Documentation/Splunk/8.0.3/Indexer/Systemrequirements#Additional_roles_for_t....