Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk PCI Installation of indexes

cafissimo
Communicator
‎05-02-2018 08:05 AM

Hello,
I am installing Splunk PCI app 3.5.0 on an environment that is made of a Search Head and two indexers (not clustered).
Should I forward all data from Search Head to the indexers (as best practices say) or should I let the Search Head index something?

Thanks in advance and kind regards.

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-02-2018 08:12 AM

Always forward all the data to the indexers.
Indexers gonna index, Search heads gonna search 😉

Seriously, indexers are built to store the data, you can cluster them, so the data is replicated, etc. Even if they're not clustered - that's where the data belongs. You'll just get yourself in unsupported trouble 😉
Search heads, even clustered, do not replicate their indexed data, because that's not what they're designed for.
Therefore - follow best practice, please.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...