Distributed ES Architecture

In production, ES runs on a **Search Head Cluster (SHC)** for high availability, pulling data from an **Indexer Cluster** for redundancy.

Technology Add-ons (TAs) are deployed to the **indexers** via the Cluster Master/Manager and to **forwarders** via the Deployment Server. The ES app itself stays on the SHC.

Data flow: Forwarder → Indexer (with TA for index-time parsing) → Search Head (ES + CIM for search-time enrichment).