topic Splunk ES pulling notables from other ES instance in Splunk Enterprise https://community.splunk.com/t5/Splunk-Enterprise/Splunk-ES-pulling-notables-from-other-ES-instance/m-p/676018#M18545 <P>Hi Splunkers, today I have a "curiosity" about an architectural design I examinated last week.</P><P>The idea is the following: different regions (the 5 continents, in a nutshell), every one with its set of log sources and Splunk Components. All Splunk "items" are on prem: Forwarder, Indexers, SH and so on. More over, every region has 2 SH: one with Enterprise Security and another one without it. Untile now, "nothing new under the sun", like we say in Italy.<BR />The new element, I men new for me and my experience, is the following one: there is a "centralized" cluster of SH, each one with Enterprise Security installed on it, that should collect the notables events from every regional ES. So, the flow about those component should be:</P><P>Europe ES Notables -&gt; "Centralized" ES Cluster</P><P>America ES Notables -&gt; "Centralized" ES Cluster</P><P>And so on. So, my wonder is: is there any doc about forward Notables events from a ES platform to another one? I searched but I didn't find anything about that (probabile I searched bad, I know).</P><P>&nbsp;</P> Wed, 31 Jan 2024 08:54:28 GMT SplunkExplorer 2024-01-31T08:54:28Z Splunk ES pulling notables from other ES instance https://community.splunk.com/t5/Splunk-Enterprise/Splunk-ES-pulling-notables-from-other-ES-instance/m-p/676018#M18545 <P>Hi Splunkers, today I have a "curiosity" about an architectural design I examinated last week.</P><P>The idea is the following: different regions (the 5 continents, in a nutshell), every one with its set of log sources and Splunk Components. All Splunk "items" are on prem: Forwarder, Indexers, SH and so on. More over, every region has 2 SH: one with Enterprise Security and another one without it. Untile now, "nothing new under the sun", like we say in Italy.<BR />The new element, I men new for me and my experience, is the following one: there is a "centralized" cluster of SH, each one with Enterprise Security installed on it, that should collect the notables events from every regional ES. So, the flow about those component should be:</P><P>Europe ES Notables -&gt; "Centralized" ES Cluster</P><P>America ES Notables -&gt; "Centralized" ES Cluster</P><P>And so on. So, my wonder is: is there any doc about forward Notables events from a ES platform to another one? I searched but I didn't find anything about that (probabile I searched bad, I know).</P><P>&nbsp;</P> Wed, 31 Jan 2024 08:54:28 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-ES-pulling-notables-from-other-ES-instance/m-p/676018#M18545 SplunkExplorer 2024-01-31T08:54:28Z