Splunk Enterprise Security

Can multiple instances of the Splunk App for Enterprise Security point to same indexer cluster?


I have a scenario. The customer has two teams ABC, XYZ and they have their own Enterprise Security setup. each team has an indexer cluster setup feeding data into ES. Now they have a common security officer and he wants to have a global view of the security postures from both the teams and wants to have that view in the ABC’s ES setup.

Basically the security officer should be able to see the data for both the teams when he logins to ABC’s ES setup. Everyone else should be seeing their respective stuff. (may be possible with the roles/access controls..)

Now my question is, if I make the XYZ’s indexer cluster as a search peer to ABC’s ES SH, will there be any issue with respect to creating Summaries on the XYZ’s cluster as two ES instances are pointed to that cluster?

Thanks so much for any ideas/comments.


There are two things to consider here.

First, remember that "permissions flow from the search head". Allowing a "foreign" (not in your control) search head to peer with your index cluster gives the admin on that foreign search head full power and authority over all indexes, roles, and data access controls on your index cluster. So in your example, team XYZ allowing team ABC to search-peer would give the admins of team ABC's instance full access to any data ( or deleting data ) on XYZ's index cluster.

Second, data model accelerations are specific to the search head they belong to. So, in this scenario, there will be two ES search heads running independent accelerations on XYZ's indexers. There will also be twice as many correlation searches running against that data. XYZ's indexers may need to scale up or out in order to deal with the added stress.

Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...