As mentioned in other comments, with light to moderate use on a single instance, we would recommend 12 CPU Cores minimum. In a distributed environment the your requirements may increase based on your needs.
With that said, you will want to avoid Real Time Alerts as those searches will be running all the time and prevent other searches from being dispatched. Keep in mind, Splunk can only run so many searches at a given time. Here is the calculation:
https://answers.splunk.com/answers/270544/how-to-calculate-splunk-search-concurrency-limit-f.html
If your Real Time Alerts are simply sending an email, you should replace all of those with scheduled searches which send an alert and schedule them to run very often, for example every 5 minutes. In this example, there was a RT search running and we replaced it with a scheduled search which runs every 5 minutes, looking back 5 to 10 minutes. The reason we do that is to allow for index latency, to help guarantee that the relevant event isn't missed.
You could adjust that accordingly of course and set Earliest to -8m@m and Latest to -3m@m and run the search every 3 minutes. In summary, make sure you eliminate any unnecessary real time searches. If you are running too many searches in general, adjust the schedules to run less often.
... View more