I have a cluster of 4 master, 8 data and 2 client/query nodes. This is ingesting logs from logstash. Currently, logstash is sending to all the data nodes (assumption: its load balancing). Is this the most optimal way? Should logstash send to the client/query nodes instead? Currently, the client nodes are what Kibana and Grafana speak to and have the most RAM and cores provisioned for it.
Thanks in advance for any pointers.
Depends on your EPS and query load. If you do lots of queries then leaving things as they are is fine.
That's an odd number, why 4?
Thanks @warkolm.
I do foresee burst of queries coming in (~100). But not more. However, the queries could result in tons of data.
Well 4 masters because I started with 3 and they were spread out in different subnets and I felt one of them was flaky because of subneting issues so I brought another one up, but thats not the case so I kept 4. Ideally they should be 'odd' in number? (Will bring one down then)
Thanks.
Ideally they should be odd, do you have this set at least?
Yes, thanks for the pointer. I have it set to 3.
Slightly overwhelmed with all the knobs there are to squeeze out the best performance, will get there soon hopefully. (Hint: pointer to a nice 'Tips'n'Tricks would help) 
There's no single source for that, you kinda need to just go through each thing and optimise it.
That's what the forums (and support) are for 
Yeah, totally agree. I am reaching that same conclusion. Plus a lot of content on the web helps as well.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.