There is also one more possible issue - the connectivity between different aws accounts could be happening over relatively slow network (especially if the environments are in different regions). And splunk will complain if it won't be able to replicate knowledge bundle to indexers.

Thank you very much for confirmation. We will do consider the network setup and costs involved to make it happen

1) You mean we cannot restrict accesses to SH at index level ? Lets say I have segregated my data and placed them on 3 indexers on 3 different hosts. Can access to SHs on another accounts be given only for 2/3 indexes ?

2) Is there any documentation on how to add the indexes to a Search Head ? My concern with this doc is the instructions appear to edit config rather than add to it

1) As all access to indexes are defined on authorize.conf on SH,  you cannot restrict that on indexer side.

2) If you want to add those also to SH side, just create those with conf file or with GUI. Only thing which means are index names nothing else. Usually I don’t define those on SH side as there haven’t any need for those. And remember to send all local events to IDX layer!

r. Ismo 

Thank you for confirmation on authorization part. This saves me a lot of research effort.

Apologies, had a typo on my last question. How to add indexers or indexer instances to search head and not indexes?  Assuming I will either do VPC peering or provide a route to resolve dns names pointing to the indexer EC2 instances from other AWS account, I am not sure how to add it to my SH

You add indexers as a search peer in distributed configuration. If you have clustered indexers then add CM as a cluster.

Some links:

• https://docs.splunk.com/Documentation/Splunk/8.2.5/DistSearch/Whatisdistributedsearch
• https://docs.splunk.com/Documentation/Splunk/8.2.5/Indexer/Enablethesearchhead

After you have added an indexer you have added also all indexes inside this indexer. There is no way to told that enable only this but not that indexes.