Splunk Enterprise Security

Splunk PCI Installation of indexes

cafissimo
Communicator

Hello,
I am installing Splunk PCI app 3.5.0 on an environment that is made of a Search Head and two indexers (not clustered).
Should I forward all data from Search Head to the indexers (as best practices say) or should I let the Search Head index something?

Thanks in advance and kind regards.

0 Karma

xpac
SplunkTrust
SplunkTrust

Always forward all the data to the indexers.
Indexers gonna index, Search heads gonna search 😉

Seriously, indexers are built to store the data, you can cluster them, so the data is replicated, etc. Even if they're not clustered - that's where the data belongs. You'll just get yourself in unsupported trouble 😉
Search heads, even clustered, do not replicate their indexed data, because that's not what they're designed for.
Therefore - follow best practice, please.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...