Splunk Enterprise Security

Recommendation for Splunk Enterprise Security architecture in distributed environment

nileena
Path Finder

Hi Splunkers,

I need some help in planning an ES environment set.
Background:
We have ES running on a Splunk instance in a central location (let's call it site A).
Currently, only data from local servers is being ingested into Splunk. We'll be expanding the architecture to include over 20 sites. In each site, we have a Splunk indexer which collects data of that location.

We are considering the following options:
- Search Head with ES on central location, clustered with all the remote indexers across the globe: This architecture requires each query on the SH to hit all of the remote locations, in which case the user experience will completely depend on the network latency.
- Hybrid environment: Would it be possible to forward the results (notable events) of selected correlation searches from all the remote indexers to the central indexer in Site A, and store notable events in the same location as the SH? If we can manage to set this up, incident review dashboard and other frequently used dashboards will run on local indexer in the same network. Investigative dashboards which require access to raw events can be run on remote indexers which will be clustered with the SH. If this architecture can be set up and fine-tuned, then there would not be as much dependency on the network latency.

Has anyone set up ES on a similar environment? Please help us with recommendations, suggestions or considerations regarding the above options. Any feedback, insight, anecdote is highly appreciated. Thanks!!

0 Karma

guybah123
New Member

hi nileena good morning - did you got any answers? looking at such architecture - can you please advise for your solution?
tnx
guy

0 Karma
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...