I have an architecture with a single SH and two indexers. I've installed the Splunk for Microsoft 365 add-on on the search head, so the collected logs are stored in the search head's index, but I want them to be stored on the indexers. Here are two other solutions : - Either I continue with the initial setup and select only one indexer amont the two to be the storage location for both the search head's data and the add-on. - Or, I set up a new instance for the heavy forwarder on which I install the add-on, and I configure it to forward the indexes to the Indexer. Which Solution is the best in my case ?
... View more