Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk architectural design - global search head

johant
Explorer
‎06-27-2018 05:13 PM

Hi,

I need someone to shed me some light on what is the best approach for me on changing my splunk architecture.
Currently, I have about 4 of single instance deployment of Splunk Enterprise Security; 1 indexer/search head and 1 heavy forwarder with each indexer and heavy forwarder dedicated to one customer.
Now, I find that this is a lot of hassle because if i need to search for a particular data for that customer I have to login to separate indexer every single time.
Note that each of the indexer have the same index name such as cisco, windows, etc.

My plan is to have 1 single search head to query the data from other indexer. I am just not sure how to deploy it with the enterprise security installed. Do I need to install enterprise security in search head only or does the enterprise security needs to be installed in the indexer as well since I enabled threat intelligence in the indexer before?

As I mentioned earlier, the data on each indexer have the same index name. How do I differentiate the data if I queried it from a single global search head?

Regards,
Johan

0 Karma
Reply

smoir_splunk
Splunk Employee
Splunk Employee
‎06-28-2018 11:01 AM

This situation sounds complex, and would be best tackled with the expertise of Splunk Professional Services.
https://www.splunk.com/en_us/support-and-services/splunk-services.html

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...