I have 6 standalone Splunk instances across different data centers (DCs) and data is not replicated across DCs for security reasons.
a) Power users - should be able to access logs into their DCs - which is possible and I can configure index-level access
b) Admin users - should have access to all the information. - This is what I need help for. What would be the best architecture?
a) Have a SH in one of the DCs and configure SH as a Search peer for all indexers
b) Configure SH cluster across DCs. - But question is, can i configure SH cluster if there is no data replication and if yes, then how to configure it?
Please suggest if there is any alternate solution.
For answer question for solution b, No, if no data replication is possible, then SHC can't be configured. The SH replicates user configs and lot of other info across SHC and if communication is not allowed between data centers/Search Head, this would not work. In fact, you won't be able to set it up itself.
For solution a, is access to Indexers (in different DC) allowed from SH (SH also are in different DC)?
I have 6 different regions and each region has standalone Splunk ent installation. Each Splunk instance works as a SH and IDX for local region.
Now I want to configure SH in region A to point to IDX of region B (or other way round) and other regions too, so that from each region's SH I can access other region's data without actually replicating it across regions.
The problem here is where it's SHC OR standalone SH, it replicates knowledge bundles to it's search peers (which are not in the same instance). So if the replication is not allowed between servers in different DC, you cant configure SHC OR even Distributed Search (adding Indexers are search peers).