Hi there
Theoretical scenario:
I have one search head and two indexers all on physical servers
I am forwarding all syslog data from the application servers to both indexers via syslog-ng
When I perform a search across the x2 search peers (indexers) will I get duplicate entries or does splunk handle this?
Many thanks
Toby
Because events will exist in both places, you will get duplicate entries.