Quantcast
Channel: Questions in topic: "distributed-search"
Viewing all articles
Browse latest Browse all 180

Splunk IT Service Intelligence: How to restrict searches to specific search peers?

$
0
0
Hello, I am building an environment in which I have a Search Head (6.5.0), and many indexers: One indexer per customer. In the SH, I have Splunk IT Service Intelligence (ITSI) 2.4.0 and many alerts and reports for each of my customers. I need to restrict the searches for specific peers. As each peer corresponds to a different client, I need the searches (alerts, KPIs, etc) of the client A, only reach the indexer of client A. If can't restrict, I'll have 2 critical implications. 1. Scalability: All the indexers should have resources enough to process **all the searches of every client** (although almost all of them will return empty results). Consider that I'll have around 100 KPIs per client which run every minute. So If I have 10 clients, I will be running 1.000 searches every minute on every indexer. (And I have to consider that small clients may have smaller indexers in terms of resources). 2. Security: The indexers will store in /splunk/var/log/splunk/remote_searches.log the searches of every client. Some searches may have sensitive information. I've tried adding the *splunk_server* parameter in the searches, but the searches reached all the indexers (not only the specified). I've also tried adding the *splunk_server_group* parameter specifying groups created in splunk/etc/system/local/distsearch.conf as following: [distributedSearch:dmc_group_kv_store] servers = localhost:localhost [distributedSearch:distributedSearchtmp] servers = 192.168.4.100:8089 but again the searches reached all the indexers (not only the specified). If I can't solve this, the project will fail so I urgently need a way to restrict the searches to specific peers. Thank you very much!

Viewing all articles
Browse latest Browse all 180

Trending Articles