Configuring distributed search
The distributed search feature requires configuration to establish connectivity from the search head to indexers or search peers. From a standalone search head and indexer architecture to a large-scale multisite clustering setup, all implementations make use of the distributed search feature. Refer to the deployment type in Figure 7.2, which has three search heads in a cluster, enabling distributed search to interact with three independent indexers. Indexers receive data from various sources, such as universal forwarders, syslog inputs, and technology add-ons for indexing. Here are a few essential points to understand about distributed search:
- Search heads are preconfigured to send queries to search peers upon user request.
- Search heads consolidate the results received from peers that participate in the search.
- Search heads present the results to the user.
- A continuous background process called knowledge bundle replication runs (you...
