I am testing our new indexer cluster using our existing search head. I added the indexer cluster servers to "dist_search" and created an indexer group so I can search just the cluster. However, all of the logs I am searching are duplicated.
I am not sure if this is because of the dist_search settings I have, a mis-configuration of the index cluster, or something else.
I did have load balancing set up on the heavy forwarders, sending to all 3 indexers. I removed that config and am only sending to 1 indexer, but the events are still duplicated.
Please help! Thanks!
↧