The data router
The Splunk data router is more of a concept than an actual thing. This is basically just a series of heavy forwarders sitting in a global location (preferably a DMZ) that route data to either a single indexer cluster or a series of them depending on your license. I have used the data router successfully in a previous life and it allows developers and security, as well as auditors, a single place to order data from.
I use the word order because you can literally make what I call a menu (which is a list of the data types) and allow different departments to pick what data they want. Just be sure to get approval by leadership, for security reasons.
The following diagram is a realistic representation of how the network segments that we spoke of earlier have a relationship with each other:
As you can see in the preceding diagram, the DMZ is a great place to put the data router, so we will use this for our example.
Let's assume each of these segments has 200+ forwarders in each...
