Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can multiple instances of the Splunk App for Enterprise Security point to same indexer cluster?

bheemireddi
Communicator
‎04-18-2015 06:27 AM

I have a scenario. The customer has two teams ABC, XYZ and they have their own Enterprise Security setup. each team has an indexer cluster setup feeding data into ES. Now they have a common security officer and he wants to have a global view of the security postures from both the teams and wants to have that view in the ABC’s ES setup.

Basically the security officer should be able to see the data for both the teams when he logins to ABC’s ES setup. Everyone else should be seeing their respective stuff. (may be possible with the roles/access controls..)

Now my question is, if I make the XYZ’s indexer cluster as a search peer to ABC’s ES SH, will there be any issue with respect to creating Summaries on the XYZ’s cluster as two ES instances are pointed to that cluster?

Thanks so much for any ideas/comments.

Reply

dwaddle
SplunkTrust
SplunkTrust
‎04-18-2015 07:40 AM

There are two things to consider here.

First, remember that "permissions flow from the search head". Allowing a "foreign" (not in your control) search head to peer with your index cluster gives the admin on that foreign search head full power and authority over all indexes, roles, and data access controls on your index cluster. So in your example, team XYZ allowing team ABC to search-peer would give the admins of team ABC's instance full access to any data ( or deleting data ) on XYZ's index cluster.

Second, data model accelerations are specific to the search head they belong to. So, in this scenario, there will be two ES search heads running independent accelerations on XYZ's indexers. There will also be twice as many correlation searches running against that data. XYZ's indexers may need to scale up or out in order to deal with the added stress.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Ready to make your IT operations smarter and more efficient? Discover how to automate Splunk alerts with Red ...