Hi @danielbb , as also @richgalloway said, there are more parameters that you have to consider: data volume, HA or not HA, number of users and scheduled searches, etc... My first hint is to engage...
See more...
Hi @danielbb , as also @richgalloway said, there are more parameters that you have to consider: data volume, HA or not HA, number of users and scheduled searches, etc... My first hint is to engage a Splunk Certified Architect or a Splunk Professional Services to design your architecture. You could find some ideas at https://www.splunk.com/en_us/pdfs/tech-brief/splunk-validated-architectures.pdf E.g.: having only one Indexer, there's no requirements for a Cluster Manager and you can put the License manager on the same Indexer; the Cluster manager is required if you have HA requirements and you have at least two Indexers. About the HF, it depends on many factors: where are located your Meraki servers, on premise or in Cloud? if on-premise it's a best practice to have a concentrator between devices and Indexers, anyway, you could also put (it isn't a best practice) the syslog receiver on the Indexers. Then how Meraki sends logs? if by syslog, you should configure an rsyslog server or SC4S on a dedicated server. As I said, I hint to engare a Splunk Certified Architect. Ciao. Giuseppe