Hi Splunkers,

I need some help in planning an ES environment set.
Background:
We have ES running on a Splunk instance in a central location (let's call it site A).
Currently, only data from local servers is being ingested into Splunk. We'll be expanding the architecture to include over 20 sites. In each site, we have a Splunk indexer which collects data of that location.

We are considering the following options:
- Search Head with ES on central location, clustered with all the remote indexers across the globe: This architecture requires each query on the SH to hit all of the remote locations, in which case the user experience will completely depend on the network latency.
- Hybrid environment: Would it be possible to forward the results (notable events) of selected correlation searches from all the remote indexers to the central indexer in Site A, and store notable events in the same location as the SH? If we can manage to set this up, incident review dashboard and other frequently used dashboards will run on local indexer in the same network. Investigative dashboards which require access to raw events can be run on remote indexers which will be clustered with the SH. If this architecture can be set up and fine-tuned, then there would not be as much dependency on the network latency.

Has anyone set up ES on a similar environment? Please help us with recommendations, suggestions or considerations regarding the above options. Any feedback, insight, anecdote is highly appreciated. Thanks!!