As @tscroggins said - Splunk clusters are not active-passive setups. One could think of some duct-tape setups with limiting network connectivity to certain times of day but that would make the cluster as a whole appear severely degraded.

You could think of a "outside Splunk" replication of servers' state but that's tricky and not really supported. If you have some specific business needs, consult them with either Splunk Presales team or your friendly local Splunk Partner,

Hi @Nraj87,

"Site A" should be read as "Site 1," and "Site N" should be read as "Site 2, Site 2, Site 3, ..., Site N."

Splunk indexer clustering isn't active-passive; however, you can use site settings to limit forwarding and search to Site 1 and configure cluster replication to copy all data to Site 2. Site 1 should also host the majority of SHC members.

If Site 2 is down, your global SHC load balancing solution should direct users to Site 1, and your indexer cluster will in theory queue replication tasks until Site 2 is up. Your cluster would appear unhealthy whenever Site 2 is down.

If you're using SmartStore, the utility of Site 2 is limited.  Only hot buckets will be replicated, so in your case only hot buckets open between 01:00 and the time Site 2 goes offline will be replicated. Your object storage solution should be geographically distributed, and indexers in Site 2 would pull warm buckets from remote storage as needed; however, if you're not actively searching Site 2, there would be little work for Site 2 to do.

Have you consulted a Splunk presales team? They're better equipped than Splunk Answers to evaluate your business needs and determine whether an M4/M14 architecture meets your requirements.