Splunk architectural design - global search head

johant · ‎06-27-2018

Hi,

I need someone to shed me some light on what is the best approach for me on changing my splunk architecture.
Currently, I have about 4 of single instance deployment of Splunk Enterprise Security; 1 indexer/search head and 1 heavy forwarder with each indexer and heavy forwarder dedicated to one customer.
Now, I find that this is a lot of hassle because if i need to search for a particular data for that customer I have to login to separate indexer every single time.
Note that each of the indexer have the same index name such as cisco, windows, etc.

My plan is to have 1 single search head to query the data from other indexer. I am just not sure how to deploy it with the enterprise security installed. Do I need to install enterprise security in search head only or does the enterprise security needs to be installed in the indexer as well since I enabled threat intelligence in the indexer before?

As I mentioned earlier, the data on each indexer have the same index name. How do I differentiate the data if I queried it from a single global search head?

Regards,
Johan

smoir_splunk · ‎06-28-2018

This situation sounds complex, and would be best tackled with the expertise of Splunk Professional Services.
https://www.splunk.com/en_us/support-and-services/splunk-services.html

Splunk architectural design - global search head

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!