Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search Head Cluster connected to Multiple Single Site Index Clusters

jfrazier060803
Loves-to-Learn Lots
‎01-29-2019 08:58 AM

I have a search head cluster consisting of 3 search heads. This search head cluster is going to attach to 6 different single site index clusters. Is it possible to restrict all searches from querying every Index cluster?

If I specify "srchIndexesDefault" as none, and specify the "srchIndexesAllowed" with the indexes that can be searched; if the indexes don't exist on some of the index clusters, will the indexers from that site still be searched? I am trying to maintain performance on the Index clusters and not have every cluster hit with every search.

0 Karma
Reply

lakshman239
SplunkTrust
SplunkTrust
‎02-05-2019 08:12 AM

I assume each of the indexer cluster may have different indexes. In your search, you can specify index=your index splunk_server=yourindexers_of_particular_cluster, you can force the search to look for only the indexers in one or more cluster. will this help?

0 Karma
Reply

jfrazier060803
Loves-to-Learn Lots
‎02-05-2019 08:47 AM

Thanks. I know how to restrict this via searching. We just have our "core" group of users here that search our Splunk instance every day. We are going to be attaching to about 6 different additional index clusters. These clusters will have the same Indexes. I just wanted a quick way to restrict the searching of Core users to not be able to query those indexers unless specifically using the index names. So if they are searching for an index on our main cluster...will it even query an index cluster that doesn't have that index. That's what I'm trying to ask. I know my users are going to be too lazy to use "splunk_server=".

0 Karma
Reply

lakshman239
SplunkTrust
SplunkTrust
‎02-05-2019 09:37 AM

Your search head is setup for distributed search across all indexer cluster. One way to restrict 'core users' to only a specific/set of indexer cluster is to define a role (say core_usr_cluster) with 'searchFilter' using splunk_server. Have any other role, which allows them to search all clusters. So, you can use one of this role to users to restrict them. However, they cannot use index=xyz to search across all cluster using the above approach. Also, search affinity can help to some extent, but its only available in multi-site indexer cluster.

Reply

jfrazier060803
Loves-to-Learn Lots
‎02-05-2019 09:43 AM

Thanks! I appreciate it. I'll give it a try.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...