Splunk Enterprise Security

Can multiple instances of the Splunk App for Enterprise Security point to same indexer cluster?


I have a scenario. The customer has two teams ABC, XYZ and they have their own Enterprise Security setup. each team has an indexer cluster setup feeding data into ES. Now they have a common security officer and he wants to have a global view of the security postures from both the teams and wants to have that view in the ABC’s ES setup.

Basically the security officer should be able to see the data for both the teams when he logins to ABC’s ES setup. Everyone else should be seeing their respective stuff. (may be possible with the roles/access controls..)

Now my question is, if I make the XYZ’s indexer cluster as a search peer to ABC’s ES SH, will there be any issue with respect to creating Summaries on the XYZ’s cluster as two ES instances are pointed to that cluster?

Thanks so much for any ideas/comments.


There are two things to consider here.

First, remember that "permissions flow from the search head". Allowing a "foreign" (not in your control) search head to peer with your index cluster gives the admin on that foreign search head full power and authority over all indexes, roles, and data access controls on your index cluster. So in your example, team XYZ allowing team ABC to search-peer would give the admins of team ABC's instance full access to any data ( or deleting data ) on XYZ's index cluster.

Second, data model accelerations are specific to the search head they belong to. So, in this scenario, there will be two ES search heads running independent accelerations on XYZ's indexers. There will also be twice as many correlation searches running against that data. XYZ's indexers may need to scale up or out in order to deal with the added stress.

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.