The main catch is that administrators in both offices want complete control over their systems. That is, no one from the Head office will be able to influence the Branch system in any way and vice versa. Based on my understanding of this requirement, there is likely no other option than to have the data count twice against the license. In v8.2+ of Splunk, there is now the concept of Federated Search, but I would argue this would still "influence" the Branch system from activity initiated from the Head Office system. https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutfederatedsearch What is the concern of the administrators of each Splunk system? If the concern is around performance, Workload Management could be explored to limit the effect searches from one system would have on the other. (https://docs.splunk.com/Documentation/Splunk/8.2.0/Workloads/Aboutworkloadmanagement) If the concern is around data access, Search Restrictions could be explored to limit access to only required data. (https://docs.splunk.com/Documentation/Splunk/8.2.0/Security/Addandeditroles#Specify_searchable_indexes_for_a_role)
... View more