I've got a four node ELK stack, each VM with 2 cores and 14 GB of RAM. I am seeing constant >75% utilization of CPU and memory which leads me to believe it is slowing down the indexing at times. We are forwarding a massive amount of logs into Logstash (IIS, SQL, ULS, PaaS and more from many servers) and noticing it often slows down with the indexing, causing logs to be delayed when looking at Kibana.
Here is my question - would it be better to add more cores / RAM to the existing nodes in the stack, or keep those nodes as they are, and add another node or two to the stack (keeping the same 2 cores 14 GB RAM spec)?
Thank you!