Splunk ES pulling notables from other ES instance

Splunk Enterprise

Hi Splunkers, today I have a "curiosity" about an architectural design I examinated last week.

The idea is the following: different regions (the 5 continents, in a nutshell), every one with its set of log sources and Splunk Components. All Splunk "items" are on prem: Forwarder, Indexers, SH and so on. More over, every region has 2 SH: one with Enterprise Security and another one without it. Untile now, "nothing new under the sun", like we say in Italy.
The new element, I men new for me and my experience, is the following one: there is a "centralized" cluster of SH, each one with Enterprise Security installed on it, that should collect the notables events from every regional ES. So, the flow about those component should be:

Europe ES Notables -> "Centralized" ES Cluster

America ES Notables -> "Centralized" ES Cluster

And so on. So, my wonder is: is there any doc about forward Notables events from a ES platform to another one? I searched but I didn't find anything about that (probabile I searched bad, I know).

Get Updates on the Splunk Community!

Splunk ES pulling notables from other ES instance

administration

configuration

using Splunk Enterprise

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Join the Conversation

Splunk ES pulling notables from other ES instance

administration

configuration

using Splunk Enterprise

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!