I have a very mind-rattling situation here. I have a distributed environment (non-clustered) with 2 SHs and 3 indexers. My first SH act as the primary, while the second act as a slave. on a normal day I see all three of my indexers receiving equal amounts of data inputs. about three days ago I noticed that my third indexer has been carrying most of the load while the others were bare getting any data. It has since gotten worse. Today inder3 is showing 62%, indexer2-11% and indexer1-11%. I have also noticed the my /etc/system/local directory on the slave SH has not outputs.conf file while the master SH does have an outputs.conf in the same directory (is this normal?). I don't how to resolve this. Please help. Thanks
It is best practice to send search head data to indexer (as it maintains all instance data in Indexer) It is upto you whether data needs to forward to Indexer or not from Search Head.Since one of your search head is sending data why cant you configure SH2 also to send data to Indexer.