Apart from the list of the questions, there are some more that would be useful for a Splunk Solution Architect:
Is this a stand-alone Splunk instance or a distributed deployment.
How are the Indexers placed (close of Application Servers or away in another DataCenter)
By default, FWDR are configured for consuming 256kbps of bandwidth. Is this sufficient or can the customer/business unit allocate more?
Do you need the logs in offline/archive format for Compliance/Regulatory reasons? If so, provision archival/backup storage accordingly.
Are there any key terms within Application logs that should/can be discarded or route+filter special event logs to special index?
Is there a plan to migrate the Application to a different platform (OS, language or on-premise-to-cloud, etc)? If so, get it documented right now.
Suggest that OS and Network logs be collected/captured for better troubleshooting Application-related errors, latency problems, challenges/concerns in future.
... View more