Is there a specific reason you want the data to route through heavy forwarders? If it isn't because of fears of some sort of network straining, and you aren't doing parsing, it may make sense to just forward directly to Splunk Cloud. That will make the load on your heavy forwarders a bit more predictable and may allow you to have fewer. I know at one point you could only have one set of certs per instance of splunkd.
... View more