Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Will the multiple ITSI instances stomp on each others data in common indexes?

archspangler
Path Finder
‎12-05-2017 10:27 AM

Is it possible to have multiple ITSI search heads all configured to forward events to a common "Indexer farm"?

-Archie

Tags (2)
0 Karma
Reply

DalJeanis
Legend
‎12-15-2017 11:49 AM

"Overwrite" isn't usually a thing in Splunk. The more likely issue is that they will both throw data at the same index and it will all get added together. It would be better to make sure that the relevant indexes contained the "region" in the index name.

This is better data management practice anyway, because there are going to be some employees who you want to be able to see the data regarding Dev but not Prod or vice versa, or regarding the various internal customers, and Splunk access controls are primarily at the index level.

An employee should never be able to see any data that they would not have a business need to see, especially if there is PHI (private health information) or PII (personally identifiable information) or company-confidential information involved.

0 Karma
Reply

adonio
Ultra Champion
‎12-15-2017 10:53 AM

hello there,
i think that the challenge there is to avoid same summary searches ... as you will cause double load on indexers as well as double results in ITSI summary indexes.
what is it that you are trying to achieve?

hope it helps

0 Karma
Reply

archspangler
Path Finder
‎12-15-2017 11:07 AM

We want to have multiple ITSI instances. (Dev, Prod, other internal customers). All of the data is on our Index cluster; along with the indexes for ITIS. My fear is that all of the ITSI instances would be pointed to the same index cluster and I am afraid that one ITSI instance will overwrite some data the other need.

Unless each ITSI instance is writing it's own unique data into the common indexes.

0 Karma
Reply

adonio
Ultra Champion
‎12-15-2017 11:22 AM

one way to solve this is to have the Dev ITSI SH index data locally, that will prevent from double indexing in the ITSI summaries on your indexer cluster.
you will still have multiple loads on the indexer layer

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...