Hello,
I am building an environment in which I have a Search Head (6.5.0), and many indexers: One indexer per customer.
In the SH, I have Splunk IT Service Intelligence (ITSI) 2.4.0 and many alerts and reports for each of my customers.
I need to restrict the searches for specific peers. As each peer corresponds to a different client, I need the searches (alerts, KPIs, etc) of the client A, only reach the indexer of client A.
If can't restrict, I'll have 2 critical implications.
1. Scalability: All the indexers should have resources enough to process **all the searches of every client** (although almost all of them will return empty results). Consider that I'll have around 100 KPIs per client which run every minute. So If I have 10 clients, I will be running 1.000 searches every minute on every indexer. (And I have to consider that small clients may have smaller indexers in terms of resources).
2. Security: The indexers will store in /splunk/var/log/splunk/remote_searches.log the searches of every client. Some searches may have sensitive information.
I've tried adding the *splunk_server* parameter in the searches, but the searches reached all the indexers (not only the specified).
I've also tried adding the *splunk_server_group* parameter specifying groups created in splunk/etc/system/local/distsearch.conf as following:
[distributedSearch:dmc_group_kv_store]
servers = localhost:localhost
[distributedSearch:distributedSearchtmp]
servers = 192.168.4.100:8089
but again the searches reached all the indexers (not only the specified).
If I can't solve this, the project will fail so I urgently need a way to restrict the searches to specific peers.
Thank you very much!
↧