Splunk Enterprise Security

Recommendation for Splunk Enterprise Security architecture in distributed environment

nileena
Path Finder

Hi Splunkers,

I need some help in planning an ES environment set.
Background:
We have ES running on a Splunk instance in a central location (let's call it site A).
Currently, only data from local servers is being ingested into Splunk. We'll be expanding the architecture to include over 20 sites. In each site, we have a Splunk indexer which collects data of that location.

We are considering the following options:
- Search Head with ES on central location, clustered with all the remote indexers across the globe: This architecture requires each query on the SH to hit all of the remote locations, in which case the user experience will completely depend on the network latency.
- Hybrid environment: Would it be possible to forward the results (notable events) of selected correlation searches from all the remote indexers to the central indexer in Site A, and store notable events in the same location as the SH? If we can manage to set this up, incident review dashboard and other frequently used dashboards will run on local indexer in the same network. Investigative dashboards which require access to raw events can be run on remote indexers which will be clustered with the SH. If this architecture can be set up and fine-tuned, then there would not be as much dependency on the network latency.

Has anyone set up ES on a similar environment? Please help us with recommendations, suggestions or considerations regarding the above options. Any feedback, insight, anecdote is highly appreciated. Thanks!!

0 Karma

guybah123
New Member

hi nileena good morning - did you got any answers? looking at such architecture - can you please advise for your solution?
tnx
guy

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...