So this is a bit of a convoluted situation so I will try to explain as best as possible.
There are 2 Splunk environments (site1 site2) internally, both have their own set of search heads, indexers etc. Both are setup as searchhead clusters and clustered indexes.
Site1 has data that Site2 wants to be able to search, but only 2 specific indexes (*indexA indexB*). Site1 does not need any data from Site2.
How do we go about setting this up? Because if we add a cluster master to Site2, it gives the users access to **all** indexes from Site1. Even with an authorizations.conf we cannot disable Site2 from searching Site1's _internal indexes and any indexes that we share names.
The idea I currently have is adding each of Site1's indexers as a searchpeer to the Site2's SearchHead cluster and adding a user/role '*Site2User*' so that when the search server is added to every indexer it looks like this:
splunk add search-server -host 10.10.10.10:8089 -auth admin:password -remoteUsername Site2User -remotePassword Site2UserPass
This would allow us to block index usage to IndexA and IndexB only and although when our indexer tier expands we will have to add more search peers it's the easiest and best method I can think of at the moment. However, does this cause issues with Site1's indexer cluster? Are there reasons we shouldn't do this? Are there better methods to achieve this?
↧