Splunk Enterprise Security

Splunk architectural design - global search head

johant
Explorer

Hi,

I need someone to shed me some light on what is the best approach for me on changing my splunk architecture.
Currently, I have about 4 of single instance deployment of Splunk Enterprise Security; 1 indexer/search head and 1 heavy forwarder with each indexer and heavy forwarder dedicated to one customer.
Now, I find that this is a lot of hassle because if i need to search for a particular data for that customer I have to login to separate indexer every single time.
Note that each of the indexer have the same index name such as cisco, windows, etc.

My plan is to have 1 single search head to query the data from other indexer. I am just not sure how to deploy it with the enterprise security installed. Do I need to install enterprise security in search head only or does the enterprise security needs to be installed in the indexer as well since I enabled threat intelligence in the indexer before?

As I mentioned earlier, the data on each indexer have the same index name. How do I differentiate the data if I queried it from a single global search head?

Regards,
Johan

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

This situation sounds complex, and would be best tackled with the expertise of Splunk Professional Services.
https://www.splunk.com/en_us/support-and-services/splunk-services.html

0 Karma
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...