Dear Somesh,

finally I've added search peers (indexers of the cluster) in distributed search of the new sh and it looks good!

I don't want any sync or replication of clustered search heads.

Thanks a lot.

Hello, we have an app (app_authentication) used to deploy authorize.conf and authentication.conf on our shcluster. Does it mean that I only need to disable deployment of this app on the new search head and configure users/roles locally? Thanks a lot.

You would've to create a copy of that app, make required permissions changes in the app and deploy updated app to your Standalone SH.

Can't we just add search peers (clustered indexers) in "Settings / distributed search / search peers" from the new sh?

The aim is to avoid that that additionnel search head becomes part of the cluster.

Thanks for your help.

A search in an indexer cluster will still be behaving a regular SH only. The benefits of configuring search peers by adding SH to cluster is that you don't have to make changes in SH if there is change in the Indexer cluster (you add or remove search peers from cluster). See this for comparison of both methods

http://docs.splunk.com/Documentation/Splunk/6.5.0/Indexer/Configurethesearchhead#Search_heads_runnin...

The aim for that standalone search head is to have different permissions for existing clustered indexes. Is it possible with your solution?
Thanks.

The permissions are handled at role level on Search Head, so you should be able to manage index level permission per your need.