Splunk Enterprise Security

Splunk PCI Installation of indexes


I am installing Splunk PCI app 3.5.0 on an environment that is made of a Search Head and two indexers (not clustered).
Should I forward all data from Search Head to the indexers (as best practices say) or should I let the Search Head index something?

Thanks in advance and kind regards.

0 Karma


Always forward all the data to the indexers.
Indexers gonna index, Search heads gonna search 😉

Seriously, indexers are built to store the data, you can cluster them, so the data is replicated, etc. Even if they're not clustered - that's where the data belongs. You'll just get yourself in unsupported trouble 😉
Search heads, even clustered, do not replicate their indexed data, because that's not what they're designed for.
Therefore - follow best practice, please.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!