You may be able to work this out based on the search log:
Run your search
Click on "Job" > "Inspect Job"
Look under "Execution costs" for the "dispatch.stream.remote" section which lists each indexer queried and how long it took.
and/or click the "Job Details Dashboard" link on the top of the job inspection page and scroll to the bottom to see "Time Spent Running Search Per Indexer"
Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards
only one additional information: search_factor=1 isn't a good configuration because having one indexer down, you don't have all the data available for searches, at least use SF=2, it's better, even if in this way you must use more storage space.
And when you have multisite cluster you are quite probably talking about site_search_factor not about search factor which are still there but valid only inside each sites. https://docs.splunk.com/Documentation/Splunk/9.4.1/Indexer/Multisitearchitecture SSF and SRF should be at least 2 (usually those are 2 or max 3, depending on how many sites you have). Then there is also search affinity parameter which told are SHs using all sites or only their own site’s indexers when they are searching.
You may be able to work this out based on the search log:
Run your search
Click on "Job" > "Inspect Job"
Look under "Execution costs" for the "dispatch.stream.remote" section which lists each indexer queried and how long it took.
and/or click the "Job Details Dashboard" link on the top of the job inspection page and scroll to the bottom to see "Time Spent Running Search Per Indexer"
Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards
