Hi,
I'm at the planning stages of designing a Splunk deployment in our global setup, I've been tasked with making this as lightweight on the network as possible as our WAN links are expensive (time and cost) and I can't get in the way of existing traffic. So I think I need to ignore the best practice examples of having indexers all replicating their data between them as that appears to be all about search performance. We're happy to accept slower searches over less data replication cost.
Please point me at docs if this idea is covered but I haven't found anything myself.
I'm planning the following:
One indexer in each data center around the globe, with hosts sending their logs to their local indexer and nowhere else.
One search head in each data center and users will use the search head nearest to them.
Am I right in thinking that a search head will send a query to each indexer (or should I be saying search peer?) and they will prepare a results set and send back to the requesting search head to collate and presents results to the user.
If that's all true and would work is there a way to quantify how much data is sent between the indexers and search head, is it as simple as just the _raw values that meet the search criteria and the search head does any further processing?
Thanks in advance!
... View more