Hello,
we have a data center with several type of equipment such as servers, switches, routers, EDR, some IOT Sensors, virtualization and etc.
Based on EPS, we need about 10 indexer based on splunk recommendation.
Now I want to separate indexer to 4 cluster. one for servers, one for network device, one for services and last one for security such as Firewall and EDR.
each cluster has several indexer and each forwarder send data to the related cluster. data only replicate in the origin cluster not other clusters
But I need each search head could search between 4 cluster. for example search for login failure in the all cluster (servers, network device and etc)
could I have several cluster with one cluster master?
Best Regards
Hi @maede_yavari,
your architecture has no sense: you can have a very performant architecture with HA and you want to divide it, why?
My hint is to engage a Certified Splunk Architect to design your architecture.
You can separate accesses to data using different indexers in the Cluster giving different permissions top them.
In this way you have a linear infrastructure with one Cluster mstr that manage all the Indexers and a Search Head (eventually clustered!) that access all the indexes in all the Indexers.
Then you can separate access to data creating different roles to access security indexes or IT Operation indexes.
Ciao.
Giuseppe
Thanks for your reply.
Splunk Architect recommend multi site architecture. but in the multi site architecture , I need to replicate data between sites to search them by search heads. also as I know we can not cluster search heads together in multi site architecture, because each site needs its own search head.
Actually permission is not my concern. I want to decrease replication load and bandwidth usage by separate indexes.
Hi @maede_yavari,
multisite architecture is required only if you need Disaster Recovery, otherwise, you can have a single site Indexer Cluster even if servers are in more than one site, even if a multisite cluster, setting Search Affinity, permits to your SHs to search in the local Indexers instead in all the Indexers.
About Search Heads, a Search Head Cluster gives you knowledge objects replication, but you can also have stand alone SHs that access the Indexer Cluster.
Anyway, don't use different clusters for different scopes, you will be crazy in logs separation and you'll surely have duplication of data because there are logs that must be used for more than one purpose.
Data replication, can be configured and anyway grants you more safe in case of fault.
Ciao.
Giuseppe
Many thanks for your answer gcusello.
If I deploy Multi site cluster architecture, would it be possible to have search heads clustering?
Hi @maede_yavari,
you can have all the combination you like:
single site or multi site Indexer Cluster
stand alone Search Heads or Search Head Cluster.
It dwepends on your requisite.
For more infos see at https://www.splunk.com/en_us/pdfs/tech-brief/splunk-validated-architectures.pdf
but anyway engage a Certified Splunk Architect, my answer could be not sufficient to design your architecture (even if I'm a Certified Splunk Architect)!
Ciao.
Giuseppe
Many Thank gcusello for the shared document.
Hi @maede_yavari,
good for you, see next time!
let me know if I can help you more, or, please, accept one answer for the other people of Community.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉