First Thing to know that Windows search head clusters are not supported by Splunk Enterprise Security. so if you are not using nix you can not do it if you do , it is supported but it is not the easiest to overcapitalized specially if you have some new Spelunkers. I would say if you are looking for HA consider somthing like snapshot or Rsync, if you are about performance, make sure that you followed all best practices, from data onbaording , data model acceleration, searches, cron jobs and so on ... fix every thing and then evaluate. If your environment if passing all those checks and you still suffering ... then ES SHC is the way to go.. I have seen Splunkers who are very successful with it and others who just can not operate it
... View more