We're in the process of doing a major upgrade to our Splunk environment. We're effectively moving from a single instance of Splunk doing everything to a "future-proof" setup with multiple indexers, multiple search heads and a separate deployment server.
I'd like to understand what best practice is for how dashboards and alerts should be set up in such an environment.
With 2 or more search heads does a dashboard created on one search head appear on another search head? How do we achieve this? We plan on placing a load balancer in front of our search heads to distribute user load.
How do alerts work? If we create an alert by logging into one of the search heads can we then configure it on the other search head? If it appears on both search heads does the alert run twice?
I have the same question and would appreciate any input on the topic.
also, how to manage user settings in fore-mentioned environment when users access different search head and view the same dashboard ?