Hi

I have configured the below
http://docs.splunk.com/Documentation/Splunk/7.2.1/DistSearch/Parallelreduceoverview

Am i right to say i have to use the command Redistribute in my search to use this or is this something extra for high-cardinality searches?

But i am not seeing an performance decrease, so how can i check it is working?
I have one search head and 2 indexers (non-Clustered)

I have set the following on the indexers

server.conf
[parallelreduce]
pass4SymmKey = $7$qkfkqE35XUbVp9oAqD2M+bBQVTufnczdRnyIcnuQrbXhAV/u+7QyBaXR

 limits.conf
    [parallelreduce]
    reducers=10.25.5.169:5089, 10.25.53.57:5089

I have added in both indexers here, i am assuming i need to add in it self?

My user can run the command
run_multi_phased_searches
http://docs.splunk.com/Documentation/Splunk/7.2.1/DistSearch/Setupparallelreduce

Then i run the command and add redistribute to the command (If i understand correctly this is what we are to do!!) - But below does not work.

    | tstats summariesonly=true      chunk_size=1000000000 max(MXTIMING.Elapsed) AS Elapsed  FROM datamodel=MXTIMING_V9 WHERE 
    host=Luas_TestCampaign_PI9_2 
GROUPBY _time MXTIMING.Machine_Name MXTIMING.Context+Command MXTIMING.NPID MXTIMING.Date MXTIMING.Time MXTIMING.MXTIMING_TYPE_DM source MXTIMING.UserName2 MXTIMING.source_path MXTIMING.Command3 MXTIMING.Context3 span=1s | redistribute by _time

So the errors i am getting is below - But i don't understand i have tried to put redistribute in multiple parts of the search

Redistribute Processor: Cannot redistribute events that have been aggregated at the search head. Place the redistribute command before transforming commands that do not have a 'by' clause.

http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Redistribute

Any help would be great - or how can i check what log