Your systems do not meet the minimum specifications for core Splunk, either. You need to have a serious chat with your systems team, as this will be a very poor experience. Splunk on virtual environments must have reserved resources, and with the negative performance impact of the Meltdown/Spectre patches, having more than minimum resources to run Splunk is generally necessary unless you have a very lightly used environment.
Next, you cannot have a SHC with only two members. This is 100% not supported.
Third, if you are not familiar with Enterprise Security or Search Head Clustering, you will have an extremely steep learning curve implementing both.
I highly recommend that you step back, read all documentation regarding Enterprise Security and capacity planning, and then reassess your architecture and expertise level before continuing with your current plans.
The majority of our customers do not implement Enterprise Security without a professional services engagement.
... View more