Splunk architectural design - global search head

johant · ‎06-27-2018

Hi,

I need someone to shed me some light on what is the best approach for me on changing my splunk architecture.
Currently, I have about 4 of single instance deployment of Splunk Enterprise Security; 1 indexer/search head and 1 heavy forwarder with each indexer and heavy forwarder dedicated to one customer.
Now, I find that this is a lot of hassle because if i need to search for a particular data for that customer I have to login to separate indexer every single time.
Note that each of the indexer have the same index name such as cisco, windows, etc.

My plan is to have 1 single search head to query the data from other indexer. I am just not sure how to deploy it with the enterprise security installed. Do I need to install enterprise security in search head only or does the enterprise security needs to be installed in the indexer as well since I enabled threat intelligence in the indexer before?

As I mentioned earlier, the data on each indexer have the same index name. How do I differentiate the data if I queried it from a single global search head?

Regards,
Johan

smoir_splunk · ‎06-28-2018

This situation sounds complex, and would be best tackled with the expertise of Splunk Professional Services.
https://www.splunk.com/en_us/support-and-services/splunk-services.html

Splunk architectural design - global search head

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector