Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search Head Cluster connected to Multiple Single Site Index Clusters

jfrazier060803
Loves-to-Learn Lots
‎01-29-2019 08:58 AM

I have a search head cluster consisting of 3 search heads. This search head cluster is going to attach to 6 different single site index clusters. Is it possible to restrict all searches from querying every Index cluster?

If I specify "srchIndexesDefault" as none, and specify the "srchIndexesAllowed" with the indexes that can be searched; if the indexes don't exist on some of the index clusters, will the indexers from that site still be searched? I am trying to maintain performance on the Index clusters and not have every cluster hit with every search.

0 Karma
Reply

lakshman239
Influencer
‎02-05-2019 08:12 AM

I assume each of the indexer cluster may have different indexes. In your search, you can specify index=your index splunk_server=yourindexers_of_particular_cluster, you can force the search to look for only the indexers in one or more cluster. will this help?

0 Karma
Reply

jfrazier060803
Loves-to-Learn Lots
‎02-05-2019 08:47 AM

Thanks. I know how to restrict this via searching. We just have our "core" group of users here that search our Splunk instance every day. We are going to be attaching to about 6 different additional index clusters. These clusters will have the same Indexes. I just wanted a quick way to restrict the searching of Core users to not be able to query those indexers unless specifically using the index names. So if they are searching for an index on our main cluster...will it even query an index cluster that doesn't have that index. That's what I'm trying to ask. I know my users are going to be too lazy to use "splunk_server=".

0 Karma
Reply

lakshman239
Influencer
‎02-05-2019 09:37 AM

Your search head is setup for distributed search across all indexer cluster. One way to restrict 'core users' to only a specific/set of indexer cluster is to define a role (say core_usr_cluster) with 'searchFilter' using splunk_server. Have any other role, which allows them to search all clusters. So, you can use one of this role to users to restrict them. However, they cannot use index=xyz to search across all cluster using the above approach. Also, search affinity can help to some extent, but its only available in multi-site indexer cluster.

Reply

jfrazier060803
Loves-to-Learn Lots
‎02-05-2019 09:43 AM

Thanks! I appreciate it. I'll give it a try.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...