I would like to have best practices regarding deploying new Splunk cluster V8, could you say if correct and in logical order?
1. Install Splunk on all nodes with non-root user (except if you want HF), verify ulimits
2. Configure one server "manager" with monitoring console, license master, deployer & deployment server roles
3. Configure Master Node (cluster master) on separate server
4. Configure peers, connect them to the MN
5. Configure search heads, connect them to the MN
6. Configure Universal forwarders
Yes, but that's not unique to HF. You can use UF to receive data on raw tcp/udp port. And still you can just open another, higher port, like 1514, 6514 or whatever. And even better - use a separate syslog-collecting layer like sc4s or rsyslog and send data to HEC from there.
yes the process is correct, only three things:
I guess this for your practise right the flow is correct
however i would not recommend deployment server and license server setup one one server if you have more than 50 clients where UF needs to be installed however for low volume deployment server is OK to be clubbed
try this link for reference
and also if you are configuring masternode step 4 and 5 should have sub steps indexer clustering and SH clustering
If you find the answer helpful, an karma is appreciated