Splunk Enterprise Security

Splunk architectural design - global search head

johant
Explorer

Hi,

I need someone to shed me some light on what is the best approach for me on changing my splunk architecture.
Currently, I have about 4 of single instance deployment of Splunk Enterprise Security; 1 indexer/search head and 1 heavy forwarder with each indexer and heavy forwarder dedicated to one customer.
Now, I find that this is a lot of hassle because if i need to search for a particular data for that customer I have to login to separate indexer every single time.
Note that each of the indexer have the same index name such as cisco, windows, etc.

My plan is to have 1 single search head to query the data from other indexer. I am just not sure how to deploy it with the enterprise security installed. Do I need to install enterprise security in search head only or does the enterprise security needs to be installed in the indexer as well since I enabled threat intelligence in the indexer before?

As I mentioned earlier, the data on each indexer have the same index name. How do I differentiate the data if I queried it from a single global search head?

Regards,
Johan

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

This situation sounds complex, and would be best tackled with the expertise of Splunk Professional Services.
https://www.splunk.com/en_us/support-and-services/splunk-services.html

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...