Earlier today, we changed the searching (peer config) so that our search heads will only perform searches across 4 physical indexers.
We did this in an attempt to reduce what we think are issues with some indexer instances on virtual machines.
What report can I run that will best highlight performance for searches, comparatively? My head's awash in Indexing Performance vs Search Activity vs Search Usage, and I keep sliding down rabbit holes. And no, we didn't do the reconfig based on another report, nor did we baseline anything to work off of, report-wise. 😞
if you have a saved search that was working for a while, you can quickly check performance leveraging the _audit
index
something like this will tell you how long it took the search to run over time.
index = _audit duration savedsearch_name="SearchNameHere"
| timechart span=15m avg(total_run_time) as total_run
if you removed indexer yesterday, try and run it for the last 3 days or so.
hope it helps