Search Nodes: Is More Better? #8663
Replies: 2 comments 2 replies
-
|
If you have not activated "true ES clustering" then the search node will work as a independent cluster. Meaning that the data will be loadbalanced between the seach nodes. But in the case of one of the node goes down, you will lose the data on that node. You can get more info on the docs Docs |
Beta Was this translation helpful? Give feedback.
-
|
In either case, data will be distributed across the different nodes. Traditional clusters should be more performant, in general. If you are not making modifications to the number of replicas, then it's primarily about performance gains. |
Beta Was this translation helpful? Give feedback.
-
|
So just to be clear, you should see performance gains if you add another search node? (In cross cluster search, not traditional) |
Beta Was this translation helpful? Give feedback.
-
|
Typically, yes. If you have more nodes, you can spread the data and the search requests across them. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Good Afternoon,
Please forgive me if this question has already been asked, but when you have more than one search node (in my case 3), do each of the search nodes have a complete copy of all events/alerts that are in the security onion environment? A exact copy of the Elasticsearch databases?
I am just trying to understand the architecture a little better to see if adding more search nodes will increase performance or just add redundancy.
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions