Hi @metmox1, ES architecture and dimensioning isn't an easy job, I hint to engage a Splunk PS or at least a Splunk Architect with experience in ES architectures, because there are requirements and attention points different than Splunk Enterprise, (only for example: for Splunk Enterprise you use one Indexer to index until 200 GB, with ES until 100-150 GB. Hardware requirements are described at https://docs.splunk.com/Documentation/ES/7.0.1/Install/DeploymentPlanning but as I said, it's mandatory to have training and experience on ES. Ask to your reference Splunk Partner to help you; if you are a Splunk Partner ask to your managers to partecipate to a training (I did it!) Ciao. Giuseppe ... View more