The index exists on server1. It only needs to exist on server1, not on server2. So the question is, will I need 2 heavy-forwards to be able to filter my events sent to indexes. 1 per indexer(or index cluster)?
Why doesn't it exist on the other server? It doesn't need to be there, and won't it count it double to index the data to 2 separate indexers? in other words, I'll be paying for data I won't need.
As for the reason why we are splitting things up; performance and security. It makes it easier for us to physically split the servers and indexes for certain sources. Not everything.
As for the second: in the transforms bit, you can see I call both. If i first call the adlog and after that the dropadlog, it drops nothing. If I first call the dropadlog and after the adlog, it only passes on 2 eventcodes and drops the rest. Mystery.
... View more