This has helped me evaluate the different alternatives available in the past... Take a look to see if one may be helpful for your situation. Hope it helps! http://docs.splunk.com/Documentation/Splunk/7.1.3/Search/Abouteventcorrelation
... View more
This may also provide some clarification on multithread ingest/parallel indexes: https://docs.splunk.com/Documentation/Splunk/7.1.2/Indexer/Pipelinesets
... View more
In this thread here, it appears that the same problem was the result of the use of quotes around the search terms and once it was removed the issue was resolved. Oddly worded error if that winds up being the case?
... View more