Deployment Architecture

Can I configure a search head cluster if there is no data replication across data centers?

vinitatacenture
New Member

I have 6 standalone Splunk instances across different data centers (DCs) and data is not replicated across DCs for security reasons.

Requirement is
a) Power users - should be able to access logs into their DCs - which is possible and I can configure index-level access

b) Admin users - should have access to all the information. - This is what I need help for. What would be the best architecture?

Possible solutions
a) Have a SH in one of the DCs and configure SH as a Search peer for all indexers
b) Configure SH cluster across DCs. - But question is, can i configure SH cluster if there is no data replication and if yes, then how to configure it?

Please suggest if there is any alternate solution.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

For answer question for solution b, No, if no data replication is possible, then SHC can't be configured. The SH replicates user configs and lot of other info across SHC and if communication is not allowed between data centers/Search Head, this would not work. In fact, you won't be able to set it up itself.

For solution a, is access to Indexers (in different DC) allowed from SH (SH also are in different DC)?

0 Karma

vinitatacenture
New Member

I have 6 different regions and each region has standalone Splunk ent installation. Each Splunk instance works as a SH and IDX for local region.
Now I want to configure SH in region A to point to IDX of region B (or other way round) and other regions too, so that from each region's SH I can access other region's data without actually replicating it across regions.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The problem here is where it's SHC OR standalone SH, it replicates knowledge bundles to it's search peers (which are not in the same instance). So if the replication is not allowed between servers in different DC, you cant configure SHC OR even Distributed Search (adding Indexers are search peers).

http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/Whatsearchheadssend

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...