What's the recommended best practice to architect a Windows universal forwarder to an indexer cluster? Is it better to forward all the Windows UF data to a VIP or just have them go straight to the indexers?
Splunk has an auto load-balancing capability, http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Configureforwarderswithoutputs.conf
But without knowing all the details of your environment and requirements, this may be the recommended approach.
