Understanding distributed search
In a Splunk distributed deployment, the main components involved in the distributed search are the search head and the indexer/search peer. A distributed deployment in Splunk connects multiple instances (search heads and indexers) to function as a unified system, enabling scalability, and efficient resource utilization.
The search head is responsible for presenting the Splunk interface to the user. It handles search management tasks and distributes search requests issued by the user to the indexers, which are also known as search peers. The search head coordinates the search process by sending search queries to the indexers and consolidates the results received from them. It then presents the aggregated results to the user.
On the other hand, the indexer is responsible for data indexing. It receives search requests from the search head and processes them by searching through the indexed data. The indexer returns the relevant results (based on...
