Deployment Architecture

Can splunk Search Head and Indexer span across multiple AWS accounts?

ramos
Engager

In our enterprise, there is already another team which has setup Splunk Search Heads and Indexers in their own AWS account (say A).

We are planning to index and store new data in our AWS account (say B).

For our dashboards, we would like to pull in data indexed in Account A as well. So, trying to determine the best approach here

1. Is is possible to setup Search Heads in Account B and add indexers to it from account B and A as well ?

1.1. In such case, will existing setup in Account A get affected any way?

Overall, is it possible to share indexers across multiple AWS accounts and still maintain its own Search Heads and dashboard UI ?

As we are different teams, we would like to have independence in maintaining our dashboards/splunk enterprise instances and also not share indexed confidential data. 

The documentation here lists command to edit indexer cluster config but not add a new search head from other aws account. So, it would be helpful to know if its possible to share indexes across aws accounts.

https://docs.splunk.com/Documentation/Splunk/8.2.5/DistSearch/SHCandindexercluster

 

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

shortly it's possible.

Basically you could think that AWS accounts are like data centers, Zones inside accounts are rooms inside DC.

You should just open connections between accounts/nodes to to get those nodes connected and used as in onprem. Anyhow you should remember that there are some price (in $) to do cross account traffic inside AWS. So maybe you should calculate which is best practice for you based on your traffic etc.?

It's almost impossible to give you an exact answer which model is best for you as there are so many things which must know before that.

You should also remember that team which control SH layer can see all data on indexes as the authorisation control is a SH layer not in indexers. So if you have something on idx side which you don't want to show them then you cannot give access to those and vice versa.

r. Ismo

View solution in original post

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

shortly it's possible.

Basically you could think that AWS accounts are like data centers, Zones inside accounts are rooms inside DC.

You should just open connections between accounts/nodes to to get those nodes connected and used as in onprem. Anyhow you should remember that there are some price (in $) to do cross account traffic inside AWS. So maybe you should calculate which is best practice for you based on your traffic etc.?

It's almost impossible to give you an exact answer which model is best for you as there are so many things which must know before that.

You should also remember that team which control SH layer can see all data on indexes as the authorisation control is a SH layer not in indexers. So if you have something on idx side which you don't want to show them then you cannot give access to those and vice versa.

r. Ismo

0 Karma

PickleRick
SplunkTrust
SplunkTrust

There is also one more possible issue - the connectivity between different aws accounts could be happening over relatively slow network (especially if the environments are in different regions). And splunk will complain if it won't be able to replicate knowledge bundle to indexers.

0 Karma

ramos
Engager

Thank you very much for confirmation. We will do consider the network setup and costs involved to make it happen

 

1) You mean we cannot restrict accesses to SH at index level ? Lets say I have segregated my data and placed them on 3 indexers on 3 different hosts. Can access to SHs on another accounts be given only for 2/3 indexes ?

 

2) Is there any documentation on how to add the indexes to a Search Head ? My concern with this doc is the instructions appear to edit config rather than add to it

0 Karma

isoutamo
SplunkTrust
SplunkTrust

1) As all access to indexes are defined on authorize.conf on SH,  you cannot restrict that on indexer side.

2) If you want to add those also to SH side, just create those with conf file or with GUI. Only thing which means are index names nothing else. Usually I don’t define those on SH side as there haven’t any need for those. And remember to send all local events to IDX layer!

r. Ismo 

0 Karma

ramos
Engager

Thank you for confirmation on authorization part. This saves me a lot of research effort.

Apologies, had a typo on my last question. How to add indexers or indexer instances to search head and not indexes?  Assuming I will either do VPC peering or provide a route to resolve dns names pointing to the indexer EC2 instances from other AWS account, I am not sure how to add it to my SH

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You add indexers as a search peer in distributed configuration. If you have clustered indexers then add CM as a cluster.

Some links:

After you have added an indexer you have added also all indexes inside this indexer. There is no way to told that enable only this but not that indexes.

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...