We are looking to deploy an Intermediary forwarding tier consisting of 3 Universal Forwarders going to Splunk Cloud.
The 3 UFs will be receiving data from 3 Heavy forwarders which will load-balance data across the intermediary forwarding tier.
The intermediary tier has to be there due to networking reasons that we cannot overcome which are not allowing the Heavy forwarders to forward to Splunk Cloud directly.
What specs should we be looking for the UFs of the intermediary forwarding tier considering a license of 600GB/day? The license would be split through the 3 UFs but in case of failure, each UF should be spec'd to be able to forward the full load.
Would something like 4 CPU cores and 8GB RAM be enough?
the intermediary forwarding tier consists of 3 Universal Forwarders or 3 Heavy Forwarders?
Before you spoke of UFs and after of HFs!
Anyway, it's better to use HFs.
The HW reference of these HFs depends on the job they have to do: if they only have to concentrate logs, it's a very too light configuration, but it could run (eventually at least 8 CPUs) and you could also use UFs instead of HFs; if instead you have to filter and transforms logs, you have to give more resources to your HFs.
Amyway, there isn't a clear definition of HW reference for HFs, if it isn't a problem, give the standard resources asked by Splunk for Stand Alone servers (12 CPUs and 12 GB RAM).
Eventually use only two HFs but giving the correct resources!
the intermediary forwarding tier will consist of 3 UFs receiving data from 3 HFs. So basically the UFs will just receive data and forward on to Splunk Cloud.
Unfortunately we are not able to use the 3 HFs to send directly to Splunk Cloud due to networking reasons hence why we need the intermediary forwarding tier.
Would you say that 4 cores and 8GB RAM for the UFs will not be enough?
it's a very strange architecture to have HFs that send data to UFs, usually it's the opposite: UFs are installed on target servers, they tale logs and send them to HFs that forward to Indexers or Splunk Cloud.
Anyway, yes, they should be enough.