I would like to build a Splunk multisite indexer cluster. However, I am concerned by the amount of network traffic generated if I enable replication between two sites. Therefore, I am considering disabling replication between sites. But in this case not all the data will be available locally within the site and there might be a situation where a search head from one site will be obtaining search results from a remote site. This will generate network traffic anyway and the latency might impact search performance. What do you think? What option is the best if I want to minimize traffic between the sites but at the same time maximize search performance?
... View more