I need to add a new data input from a mount, but I have a distributed architecture (one forwarder / search head and two indexers). Should the mount go to the search head / forwarder or to both indexes?
What is the recommended solution for this?
One of the goals of a distributed architecture such as yours is to separate data input (performed by the forwarder) from the indexing and searching activities (performed by the indexer).
I would recommend to mount the filesystem that holds the files you want as input on your forwarder, and configure a [monitor] stanza in inputs.conf to monitor those directories.
On a different topic, you may want to host your search head on a different server than your forwarder so that if your forwarder goes down you would still be able to search your indexed data.
View solution in original post