Splunk Enterprise Security

Recommendation for Splunk Enterprise Security architecture in distributed environment

nileena
Path Finder

Hi Splunkers,

I need some help in planning an ES environment set.
Background:
We have ES running on a Splunk instance in a central location (let's call it site A).
Currently, only data from local servers is being ingested into Splunk. We'll be expanding the architecture to include over 20 sites. In each site, we have a Splunk indexer which collects data of that location.

We are considering the following options:
- Search Head with ES on central location, clustered with all the remote indexers across the globe: This architecture requires each query on the SH to hit all of the remote locations, in which case the user experience will completely depend on the network latency.
- Hybrid environment: Would it be possible to forward the results (notable events) of selected correlation searches from all the remote indexers to the central indexer in Site A, and store notable events in the same location as the SH? If we can manage to set this up, incident review dashboard and other frequently used dashboards will run on local indexer in the same network. Investigative dashboards which require access to raw events can be run on remote indexers which will be clustered with the SH. If this architecture can be set up and fine-tuned, then there would not be as much dependency on the network latency.

Has anyone set up ES on a similar environment? Please help us with recommendations, suggestions or considerations regarding the above options. Any feedback, insight, anecdote is highly appreciated. Thanks!!

0 Karma

guybah123
New Member

hi nileena good morning - did you got any answers? looking at such architecture - can you please advise for your solution?
tnx
guy

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...