Perhaps, I wasn't very clear, my apologies, but, when I spoke of stovepipes, it should have read as single Splunk standalone instances (SIs). So, because each SI is not a source for information across all environments... this flattened way of doing business is being changed. My initial proposal was to turn the SI's into Heavy Forwarders, and build a proper indexing tier and search head. But, it seems that may be more than was originally anticipated by the customer. So, the traditional Splunk architecture appears to have a few road blocks.
Bringing this full circle, I proposed the question above. The idea is to keep the single instances in place because they are already collecting the proper data. However, if we can, "cherry pick," events that we will trigger across all environments, we could send these alerts to a brand new SH that would be dedicated to only triggered alerts. Here's a crude ASCII art sketch:
A SI B SI
|________________|
C SI - | ALERTS SH | - D SI
E SI - |________________| - X SI
Let me know if this clears things up. Thank you taking the time to help.
... View more