I've been told that "Best Practices" (one of my least favorite terms) is to leave Splunk Enterprise Security (ES) on its own Search Head (SH) and put all your other apps and custom searches on a different SH. True? Comments?
You can install Enterprise Security on a single instance (search head and indexer on the same machine), which is useful for proof-of-concept work. In production, you should run ES in a distributed deployment, in which case you should have a dedicated search head. See Deployment planning in the Splunk Enterprise Security Installation and Upgrade Manual.
Definitely true. ES is a beast and runs a ton of Data Model Accelerations and searches. I would not ever run anything on an ES Search Head but ES stuff. Ever.
Yes, my apologies, I was rushing to a meeting and did not include enough information. This is a production environment and a distributed environment ingesting a few hundred gig per day of diverse data.