This question is helpful, but I have a client who needs more detail on a WMI-polling environment. Ideally a conference call with an architect. Specifically:
- What is your largest known WMI-polling architecture?
- What server in a search head - multiple Indexers - multiple LFs and collectors should do the WMI collection?
- Is ~120 servers a best practice for number of polled per 16GB Splunk server?
- What is an appropriate polling frequency? They want as close to real-time alerts as possible.
- What is the effect on the polled machine?
- Is load balancing possible, in case LF1 is down, that LF2 can handle the polling?
Let me know if I should break this out into multiple questions on here. Thanks!