We have 8 indexers and all are connected to search heads through distsearch.conf (the names are mentioned sequentially, e.g. idx01-idx08).
We have bunch of RT searches running along with normal historical searches (which pull data form all the indexers). for last couple of weeks, I have been observing that the idx01 has been using almost 95% of the cpu most of the time, where as the other indexers show occasional spikes but they do not run on 95%+ cpu all the time. I don't know why only the idx01 is affected so much.
Any clue?
In case this information helps: This had started since we began implementing SIEM.
↧