Deployment Architecture

what is best practices for managing multiple index

maede_yavari
Explorer

Hello,

we have a data center with several type of equipment such as servers, switches, routers, EDR, some IOT Sensors, virtualization and etc.

Based on EPS, we need about 10 indexer based on splunk recommendation.

Now I want to  separate indexer to 4 cluster. one for servers, one for network device, one for services and last one for security such as Firewall and EDR. 

each cluster has several indexer and each forwarder send data to the related cluster. data only replicate in the origin cluster not other clusters

But I need each search head could search between 4 cluster. for example search for login failure in the all cluster (servers, network device and etc)

could I have several cluster with one cluster master?

 

Best Regards

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @maede_yavari,

your architecture has no sense: you can have a very performant architecture with HA and you want to divide it, why?

My hint is to engage a Certified Splunk Architect to design your architecture.

You can separate accesses to data using different indexers in the Cluster giving different permissions top them.

In this way you have a linear infrastructure with one Cluster mstr that manage all the Indexers and a Search Head (eventually clustered!) that access all the indexes in all the Indexers.

Then you can separate access to data creating different roles to access security indexes or IT Operation indexes.

Ciao.

Giuseppe

0 Karma

maede_yavari
Explorer

Thanks for your reply.

Splunk Architect recommend multi site architecture. but in the multi site architecture , I need to replicate data between sites to search them by search heads. also as I know we can not cluster search heads together in multi site architecture, because each site needs its own search head.

Actually permission is not my concern. I want to decrease replication load and bandwidth usage by separate indexes.

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @maede_yavari,

multisite architecture is required only if you need Disaster Recovery, otherwise, you can have a single site Indexer Cluster even if servers are in more than one site, even if a multisite cluster, setting Search Affinity, permits to your SHs to search in the local Indexers instead in all the Indexers.

About Search Heads, a Search Head Cluster gives you knowledge objects replication, but you can also have stand alone SHs that access the Indexer Cluster.

Anyway, don't use different clusters for different scopes, you will be crazy in logs separation and you'll surely have duplication of data because there are logs that must be used for more than one purpose.

Data replication, can be configured and anyway grants you more safe in case of fault.

Ciao.

Giuseppe

0 Karma

maede_yavari
Explorer

Many thanks for your answer gcusello.

If I deploy Multi site cluster architecture, would it be possible to have search heads clustering?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @maede_yavari,

you can have all the combination you like:

single site or multi site Indexer Cluster

stand alone Search Heads or Search Head Cluster.

It dwepends on your requisite.

For more infos see at https://www.splunk.com/en_us/pdfs/tech-brief/splunk-validated-architectures.pdf 

but anyway engage a Certified Splunk Architect, my answer could be not sufficient to design your architecture (even if I'm a Certified Splunk Architect)!

Ciao.

Giuseppe

0 Karma

maede_yavari
Explorer

Many Thank gcusello for the shared document.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @maede_yavari,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...