I have inherited a Splunk non-clustered, distributed Enterprise environment. I believe that my Splunk instances have too many server roles assigned to them.
Is there documentation stating:
- What role(s) should a Heavy Forwarder have?
- What role(s) should a Search Head have? (Search Head role only, or KV store as well?)
- What role(s) should an Indexer have? (Indexer role only, or KV store as well?)
- What role(s) should a Deployment Server have?
- What role(s) should the DMC Server have? Right now, the 4 server roles, Indexer, KV Store, License Master, and Search Head are assigned to my DMC. It is the License Master for my infrastructure so I know that role is required.
I am having a hard time finding documentation online that explicitly states how the server role assignment should be.
Thanks in advance.