Splunk Enterprise Security

Recommendation for Splunk Enterprise Security architecture in distributed environment

Path Finder

Hi Splunkers,

I need some help in planning an ES environment set.
We have ES running on a Splunk instance in a central location (let's call it site A).
Currently, only data from local servers is being ingested into Splunk. We'll be expanding the architecture to include over 20 sites. In each site, we have a Splunk indexer which collects data of that location.

We are considering the following options:
- Search Head with ES on central location, clustered with all the remote indexers across the globe: This architecture requires each query on the SH to hit all of the remote locations, in which case the user experience will completely depend on the network latency.
- Hybrid environment: Would it be possible to forward the results (notable events) of selected correlation searches from all the remote indexers to the central indexer in Site A, and store notable events in the same location as the SH? If we can manage to set this up, incident review dashboard and other frequently used dashboards will run on local indexer in the same network. Investigative dashboards which require access to raw events can be run on remote indexers which will be clustered with the SH. If this architecture can be set up and fine-tuned, then there would not be as much dependency on the network latency.

Has anyone set up ES on a similar environment? Please help us with recommendations, suggestions or considerations regarding the above options. Any feedback, insight, anecdote is highly appreciated. Thanks!!

0 Karma

New Member

hi nileena good morning - did you got any answers? looking at such architecture - can you please advise for your solution?

0 Karma
Get Updates on the Splunk Community!

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...