Deployment Architecture

External search head performs searches on separate cluster?

Engager

Is it possible to have a cluster (1 master, 2 indexers, 1 search head, 1 deployer) and have an external search head connect to the indexer cluster and perform searches on them?
And is it possible to limit that search head to only perform searches on specific information, like a specific index?

0 Karma

Splunk Employee
Splunk Employee

What do you mean by "external" search head, can you please clarify?

0 Karma

Engager

External in the meaning "not part of the same deployment". It's configured seprately and not by me. It will be provided with correct information about my deployment that a search head needs, but wondering if it will be able to perform searches on the indexers that I've deployed.

0 Karma

Contributor

It is possible to have another search head or search head cluster accessing an indexer cluster.

A search head is not able to filter out some results or block some indexes based on the search head. The indexers know which search heads are allowed to send searches, they accept any search from any attached search head. The whole authorization is performed on the search heads, so on a second search head you should possibly use the same identity provider (LDAP, SAML or whatever), otherwise you have to be very careful about your users, groups and roles.

0 Karma

Engager

So, if defining the access control on the external search head by only letting it search specific indexes, it might be possible?

0 Karma

Contributor

Yes, the the authorization is done on the search head, so if there are nor roles which allow access to indexes, no search will be performed against this indexes. But you have to make certain this roles are maintained properly. In case someone is able to become admin on this search head, this person might change the roles, and in this case this person might then access anything on your indexer cluster.
This makes it not feasible to give for example developers a search head with admin privilege, which is connected to the indexer cluster.

0 Karma

Engager

I agree, the access to the indexes has to handled, in my case, by trust since im not the owner of the external search head.

0 Karma

Contributor

In this case, you have to be aware of the fact that you have to trust the authority of the external search head to properly handle the role management. By allowing it to access the indexer cluster, you give it access to all date on the indexer cluster.