I am planning a multisite architecture.
I have 3 sites in 3 different locations (different countries across Europe) and the first thing I need is to store local indexed data locally on each site (so that the data will not go through internet while indexing or replicating, only while searching) but the second thing I need is to be able to run searches across all 3 sites from a single search head, located at one site.
The first architecture plan I came up with is one single indexing cluster (with 2 or 3 indexing peers located at each site and master node+search head located at one site) but I am not sure if it is possible to set up indexing cluster replication that way so it will replicate indexed data only across local indexing peers at each site.
The second architecture plan is 3 separate single-site indexing clusters (with 2-3 indexing peers and cluster master) and one search head at one of 3 sites, but here I am not sure if it will be possible to run searches from the single search head across all 3 singlesite indexing clusters.
Splunk gurus please help me to come up with what of these 2 architecture plans will work properly and which of them would be better to chose according to my described preferences?
↧