I am planning to create a Splunk lab.
2 Forwarders- who will receive the logs from multiple sources(windows, UNIX, log files, etc)
2 indexers who are you replicating data with each other
Q-Now how can I configure indexes to replicate data with each other?
thanks for your kind reply.
I believe that I need another server as index cluster.
I am limited with resources.
This is not best practice, but you can make your search head as cluster master and then configure indexer clustering, as you have limited resources.
Don't cluster your indexers until you have 3 indexers and 1 cluster master available
You can configure your SH to search through both indexers .
That will be the best shot in this scenario
Configure your SH to search thru both indexers.
Thats will be the best shot for dev . environment