When we say dedicated deployment server in Splunk enterprise does it mean search head and indexing is disabled.
There is nothing to disable. the functionalities should not be used.
I need search head and indexer as well along with deployment server stacked in single virtual server. This indexer and search head would be needed to capture Splunk internal logs for routine health checkup.
you can do selective forwarding, you can keep _internal logs at deployment server level as you mentioned you don't have control on search head. but best practice is to monitor everything search head by collecting all logs to indexers.
As per Splunk docs it says having DS with search head should handle only upto 50 clients as a best practise.
I don't think you will have more than 10 alerts configured on deployment server with _internal logs.
Do I need to consider this as well, or will it work fine with having only 1 DS for 400 servers and this DS having search head & indexer???
Having 12 CPUs & 12 GB Memory will server your purpose of managing 400 servers and SH & Indexer.
————————————
If this helps, give a like below.
