Where you'll point your UFs depends on what approach you go ahead with.
- You can use indexer discovery feature as described here
https://docs.splunk.com/Documentation/Splunk/7.2.3/Indexer/indexerdiscovery
You can configure your UF's app to have a list of all your indexers mentioned in your inputs.conf file.
I would suggest to have minimum of 3 indexers. This protects you in case of an indexer failure.
Let's say you set your Replication Factor/Search Factor to 2. That means all the data you're ingesting would live on both indexers. In a situation where one of your indexer dies then the other one becomes a single point of failure. You'll also see Cluster Master complaining etc.. Having a minimum of 3 indexers would give you a lot of breathing space even if one of your indexer dies. Splunk would copy all the buckets (data) which was on the indexer which has died on the remaining 2 indexers.
Cluster Master can live on a light machine. A VM is ideal!
... View more