Sync between Onprem SH and Azure search head

saikiran334 · ‎10-22-2020

Hello ,

1) Currently we do have a search head in OnPrem where indexer clusters have been connected to !

2) Now, we would like to spin up new Splunk SH instance(on Ubuntu) in AZURE and install "TrackMe" app on this new Azure SH by syncing with OnPrem SH

Is this a use case anyone already tried or is it possible to apply ?

Reason: We'd like to have our own SH in Azure exclusively for our own team and utilize it

saikiran334 · ‎11-09-2020

thanks, @guilmxm @isoutamo for your views on it

I'm thinking to connect Azure SH(stand-alone) with the Onprem indexer cluster (by taking network configs, firewalls, etc into account)

isoutamo · ‎11-09-2020

This should work w/o issues.

guilmxm · ‎11-08-2020

Hi @saikiran334

I am afraid that even after very carefully reading your question, I am not getting it.

"on this new Azure SH by syncing with OnPrem SH" no idea what you mean here.

You can install TrackMe in any search head, standalone or SHC, that makes sense for you, if the search head can search in the indexers you need, then TrackMe will be able to access to it.

Guilhem

isoutamo · ‎11-08-2020

Hi

as @guilmxm said you could install a new SH to Azure, but syncing it with onprem SH is another story. There is no automatic way to sync individual SHs. Of course you could keep same apps etc in those, but there is no way to keep users’ changes in sync with those. If this is what you want then you must install SHC which spread over those sites. This require that there haven’t been too much latency (200 ms) between nodes. You also needs four nodes (3xSH + 1 deployer) to build it.

r. Ismo

Sync between Onprem SH and Azure search head

administration

using Splunk Enterprise

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms