- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Can I configure a search head cluster if there is ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I configure a search head cluster if there is no data replication across data centers?
I have 6 standalone Splunk instances across different data centers (DCs) and data is not replicated across DCs for security reasons.
Requirement is
a) Power users - should be able to access logs into their DCs - which is possible and I can configure index-level access
b) Admin users - should have access to all the information. - This is what I need help for. What would be the best architecture?
Possible solutions
a) Have a SH in one of the DCs and configure SH as a Search peer for all indexers
b) Configure SH cluster across DCs. - But question is, can i configure SH cluster if there is no data replication and if yes, then how to configure it?
Please suggest if there is any alternate solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For answer question for solution b, No, if no data replication is possible, then SHC can't be configured. The SH replicates user configs and lot of other info across SHC and if communication is not allowed between data centers/Search Head, this would not work. In fact, you won't be able to set it up itself.
For solution a, is access to Indexers (in different DC) allowed from SH (SH also are in different DC)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have 6 different regions and each region has standalone Splunk ent installation. Each Splunk instance works as a SH and IDX for local region.
Now I want to configure SH in region A to point to IDX of region B (or other way round) and other regions too, so that from each region's SH I can access other region's data without actually replicating it across regions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem here is where it's SHC OR standalone SH, it replicates knowledge bundles to it's search peers (which are not in the same instance). So if the replication is not allowed between servers in different DC, you cant configure SHC OR even Distributed Search (adding Indexers are search peers).
http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/Whatsearchheadssend
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
