Hi, I'm having to deploy Splunk for the very first time having never worked with it before and struggling to understand some of the basic architecture. I have been tasked to setup Splunk ES and UBA for what will be a maximum of 20 users, a handful of forwarders and currently 6 data sources (expanding to 10). 1st question I wanted to ask is related to UBA, if I setup a single master node to begin with, can I expand that later down the line to 3 nodes? (to cater for the 10 data sources) and is there anything I need to be aware of before doing so, to take this into consideration for the future when the remaining data sources come online? I am now going to ask a daft question - in the topology of a small enterprise deployment, does a indexer equate to a single server with an instance of Splunk Enterprise? For our setup , how do I determine the number of indexers required? Can someone just explain to me the number of physical servers (VM's) required in this type of scenario, it would be of great help? Appreciate any help in my understanding of this as I am losing sleep over it.
... View more