I would like to create an environment where there is a central search head(say A) and various separate search heads are its peer nodes(let one among it is B) which in turn are search head master to multiple indexers(let any indexer C is a search peer of B). I am not able to run commands of these indexers on root search head(I mean search commands of C are not able to run on A). Is it possible to configure? If yes, then how it is feasible.
I think you are confused on how topology works with Splunk. Give this a look:
http://docs.splunk.com/Documentation/Splunk/6.0.1/Deploy/Distributedoverview
If you need to be able to Search B's internal logs, forward them to the indexers C.
Splunk topology says that won't happen. However, have you considered using a reverse proxy? Then you can proxy all the requests from A1 through B1-3 to C1-3.
Consider B1,B2,B3 as search head of different zones. Through search head A(global search head) we want to search for all the zonal data at one place. This assumes that A1 has the connectivity to B1,B2 and B3 only not to C1,C2,C3,etc indexers.
Again, no. Check the doc for distributed searching. Why do you need to have A search B first? Just make C a search peer of A, and then both A and B search C.
I don't want to re-index any data. My question is just this, being a search head B, it can run commands on its search peer C. Then, if I make B as a search peer of a new search head A, somewhat like making an hierarchy, so would have I been able to run commands on C from search head A. You may assume it as multi-level search head. I could not found this approach in any document among the ones I had been through. So, just keen to know if it can be done in this way somehow?
Regards,
Disha