Hi All
I have limited experience with Splunk (just over a year) and I joined a new team with a pretty hefty Splunk roll out, many search heads, a large Index cluster (sorry I can't give away the details)
anyway I noticed that there are like 50 Indexes on the Index Cluster as shown on the Cluster Master yet some of the Search Heads (which are not clustered by the way, just letting you know) have maybe 75 or up to 95 Indexes on them, I see that these Search Heads are set up to forward their Indexes to the Index Clusters but I don't get two things:
1. how do you fit 75 Indexes from the Search Head into 50 Indexes on the Index Cluster, ha ha
2. are there any advantages or disadvantages to having local Indexes on the Search Heads which are totally empty and just forward them to the Index Cluster? why would anyone do that?
I hope you followed all that and can educate me on it, thank you
Hi @Gregski11,
On Indexer Cluster only indexers defined in Cluster Master are active. Since search head is forwarding its events to cluster it is normal all its indexes are empty.
It is a best practice to put a copy of indexes.conf to Search Heads too. This will make autocomplete work on search bar that helps users to remember index names.