I would recommend you consider Professional Services, architecture planning is one of our offerings - https://securityonionsolutions.com/support

Distributed deployment is a must for any large scale deployment

Is that 10Gbps link fully saturated? For Sensor node hardware considerations check out https://docs.securityonion.net/en/2.4/hardware.html#sensor-hardware-considerations

For your endpoint count I would suggest

• at least 1 Fleet Node to handle the management of the agents and reduce overall load on the manager node. https://docs.securityonion.net/en/2.4/architecture.html#elastic-fleet-standalone-node
• 2 or 3 receiver nodes giving those endpoints additional locations where they can forward their logs. (Amount of receiver nodes you need could go up, depending on the performance you see once stood up)

As for searchnodes I will echo Chris from #15039

For search nodes, you would want to deploy enough to meet your data retention goals while having enough data nodes for shards. Each data node will give you 1000 shards in the cluster. So for example, if you are writing 10 Zeek indices/day (2 shards per index) that would be 1TB just in Zeek indices/day. Multiple nodes will also allow for data tiers, you can have hot phased data on one node, warm on another, etc.