I am planning to migrate from my single indexer to dual indexer clustering. Here we have two ways to do that:
1) Ask the forwarder to switch between two indexers in 30 seconds. Search Head will merge data from two indexers.
2) Distribute indexes in two indexers like index=OCSPROD in server1 and index=EBIZPROD in server-2. Configure forwarder to send logs to a specific indexer without switching between two.
Here my question is, which would be the best performance wise for search & reporting?
Are these two indexers going to be located at the same site? Would assuming same latency be correct?
If so - You'll want the forwarder to load balance between your two indexers, so when searching you can leverage distributed search against the two peers for best performance.
View solution in original post