Can this be done or is the official Splunk guidance to utilize an index cluster? Curious if there's any current (potentially) possible method to achieve high-availability with only 2 indexers? My reading on index clusters has me thinking one needs at a minimum 3 licensed Splunk instances. At least, that's what I got from Splunk's documentation. You need one master, and at least 2 dedicated indexer peers. Where the search head goes in all of that and how that would be supported, I have no clue. I'm sure everyone can think of a very green reason as to why one would want to be able to just have a pair of indexers serve high availability without being forced into an index cluster kind of deployment. I can see older posts where apparently this used to be supported but my understanding now is that the only Splunk supported high-availability deployment is via index clusters. Can anyone confirm?
... View more