I have a search head cluster consisting of 3 search heads. This search head cluster is going to attach to 6 different single site index clusters. Is it possible to restrict all searches from querying every Index cluster?
If I specify "srchIndexesDefault" as none, and specify the "srchIndexesAllowed" with the indexes that can be searched; if the indexes don't exist on some of the index clusters, will the indexers from that site still be searched? I am trying to maintain performance on the Index clusters and not have every cluster hit with every search.
I assume each of the indexer cluster may have different indexes. In your search, you can specify index=your index splunk_server=yourindexers_of_particular_cluster, you can force the search to look for only the indexers in one or more cluster. will this help?
Thanks. I know how to restrict this via searching. We just have our "core" group of users here that search our Splunk instance every day. We are going to be attaching to about 6 different additional index clusters. These clusters will have the same Indexes. I just wanted a quick way to restrict the searching of Core users to not be able to query those indexers unless specifically using the index names. So if they are searching for an index on our main cluster...will it even query an index cluster that doesn't have that index. That's what I'm trying to ask. I know my users are going to be too lazy to use "splunk_server=".
Your search head is setup for distributed search across all indexer cluster. One way to restrict 'core users' to only a specific/set of indexer cluster is to define a role (say core_usr_cluster) with 'searchFilter' using splunk_server. Have any other role, which allows them to search all clusters. So, you can use one of this role to users to restrict them. However, they cannot use index=xyz to search across all cluster using the above approach. Also, search affinity can help to some extent, but its only available in multi-site indexer cluster.