Hi @SS1,
at first you have to define the HA requirements:
in the first case you have to use both an Indexer Cluster and a Search Head Cluster.
In the second case you have to use only an Indexer Cluster.
For an Indexer Cluster is required at least:
- two or more Indexers (they depends on the volume of data);
- a Master Mode.
Yu can find more infos at https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/Basicclusterarchitecture
For a Search Head Cluster is required at least:
- three or more Search Heads (they depends on the volume of users and scheduled searches);
- a Deployer.
You can find more infos at https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/AboutSHC
Master Node must be a dedicated server.
Deployer is a role that can be shared with other roles (except: Search Head, Indexer, Master Node and Deployment Server).
Hardware and storage requirements depends on the data volume and searches, you can find more infos at:
https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements
https://docs.splunk.com/Documentation/Splunk/8.1.1/Capacity/Referencehardware
https://docs.splunk.com/Documentation/Splunk/8.1.1/Capacity/Estimateyourstoragerequirements
These are few informations about Splunk HA, but remember that Splunk architecture must be designed and planned with many attention by a specialist (Splunk Architect).
Ciao.
Giuseppe
