We have the same license amount and currently run an AWS solution as well, so here are our specs as an example for you, please note that we use Splunk Enterprise Security so I've substituted M4 instances for C4 instances where they would be more appropriate without ES (I did it so it wouldn't moan about RAM).
Indexers:
4 x M4.4xlarge (100 GB GP2 Volume "/opt/splunk", 3 TB GP2 Volume "/data/splunk_hot", 8 TB ST1 Volume "/data/splunk_cold", 1 TB ST1 Volume "/data/splunk_frozen" ~ 9 months live retention based on our current loads).
Search heads:
1 x C4.4xlarge (100 GB GP2 Volume "/opt/splunk") - General Use
1 x M4.4xlarge (100 GB GP2 Volume "/opt/splunk") - Enterprise Security
Cluster Master Server:
1 x C4.xlarge (100 GB GP2 Volume "/opt/splunk")
Settings:
Multisite - true
2 indexers and 1 sh per site, sites are defined by AWS Availability Zones, Master sits on site1
All indexes are replicated, rep factor is origin:1, total:2 for rep and search factor.
Summary replication - true
UseACK for forwarders - true
I've not listed other devices as they're not relevant to our setup, things like deployment servers and heavy forwarders are defined more by process requirements/geolocation for my Org (we have both cloud and on prem forwarders). The above core system handles search load for ~20 non security users, ~12 security users, and the system search load.
... View more