Hello! We have two offices: Head and Branch. The Head office has a Splunk infrastructure (Enterprise Security), which is managed by their admins. The Branch office is in the process of deploying a Splunk system that must then be managed by Branch administrators. The licensing server is located at the Head office and the Branch license will be uploaded to it. At the same time, it became necessary to send part of the data from the Branch to the Head office, for this purpose the Heavy Forwarder will be installed in the Branch, which will initially receive data from all sources. Then the HF will send all the data to the indexer of the Branch and in parallel send a part of it to the Head office. The main catch is that administrators in both offices want complete control over their systems. That is, no one from the Head office will be able to influence the Branch system in any way and vice versa. It turns out that the indexers of both offices are not connected in any way and the license for the data sent to the Head office will be measured twice (once when indexing on the Branch indexer and the second time on the Head indexer. How in this case should you organize the architecture correctly so that the administrators of each office retain their control system, but the license was not measured twice on the data that will be sent to the main office?
The main catch is that administrators in both offices want complete control over their systems. That is, no one from the Head office will be able to influence the Branch system in any way and vice versa.
Based on my understanding of this requirement, there is likely no other option than to have the data count twice against the license. In v8.2+ of Splunk, there is now the concept of Federated Search, but I would argue this would still "influence" the Branch system from activity initiated from the Head Office system. https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutfederatedsearch
What is the concern of the administrators of each Splunk system?