I have 6 standalone Splunk instances across different data centers (DCs) and data is not replicated across DCs for security reasons.
Requirement is
a) Power users - should be able to access logs into their DCs - which is possible and I can configure index-level access
b) Admin users - should have access to all the information. - This is what I need help for. What would be the best architecture?
Possible solutions
a) Have a SH in one of the DCs and configure SH as a Search peer for all indexers
b) Configure SH cluster across DCs. - But question is, can i configure SH cluster if there is no data replication and if yes, then how to configure it?
Please suggest if there is any alternate solution.
... View more