Splunk ES pulling notables from other ES instance

Splunk Enterprise

Hi Splunkers, today I have a "curiosity" about an architectural design I examinated last week.

The idea is the following: different regions (the 5 continents, in a nutshell), every one with its set of log sources and Splunk Components. All Splunk "items" are on prem: Forwarder, Indexers, SH and so on. More over, every region has 2 SH: one with Enterprise Security and another one without it. Untile now, "nothing new under the sun", like we say in Italy.
The new element, I men new for me and my experience, is the following one: there is a "centralized" cluster of SH, each one with Enterprise Security installed on it, that should collect the notables events from every regional ES. So, the flow about those component should be:

Europe ES Notables -> "Centralized" ES Cluster

America ES Notables -> "Centralized" ES Cluster

And so on. So, my wonder is: is there any doc about forward Notables events from a ES platform to another one? I searched but I didn't find anything about that (probabile I searched bad, I know).

Get Updates on the Splunk Community!

Splunk ES pulling notables from other ES instance

administration

configuration

using Splunk Enterprise

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Splunk ES pulling notables from other ES instance

administration

configuration

using Splunk Enterprise

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!