Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

multiple clients

dahz
New Member
‎09-18-2014 06:50 PM

I have several clients that I want to pull data in from. I want to be able to keep the data separate, is that possible?

Tags (1)
0 Karma
Reply

neelamssantosh
Contributor
‎09-18-2014 09:05 PM

Valid point mcmaster,
comiing to your requirement dahz,
splunk provide's data separation with respect to indexers
eg: data differs from HR, Security, Application developers team in which they are keen of.

[monitor:///source/sourcetype/path/location/xxxx.log]
disabled = false
index = HR
host = xxxx
sourcetype = xxxx

[monitor:///source/sourcetype/path/location/xxxx.log]
disabled = false
index = Security
host = xxxx
sourcetype = xxxx

0 Karma
Reply

mcmaster
Communicator
‎09-18-2014 07:27 PM

You can put the data into separate indexes, which will keep the data separate, however Splunk is not designed to be multi-tenant. There may also be licensing concerns, which you should ask your sales rep about to be sure you're meeting those rules. Keep in mind few if any apps are designed for multi-tenancy, and many expect data to be in an index of their choosing, so you will find yourself modifying nearly every app you want to use to support your use case.

Assuming you're OK with these gotchas, you can replicate whatever indexing scheme you would use for a single customer deployment for the multi customer design. For example, if you separate indexes by data type, you could have indexes such as "gizmos_acme", "widgets_acme", etc. Or, if you separate data by retention period, you could have "90d_acme", "180d_acme", "1y_acme", etc. This all depends on your preference.

You will also need to specifically configure things to go into each customer's index. There are a few options for doing this as well. You can manually configure each forwarder's inputs for the proper customer names, or you could do it dynamically using props/transforms configs to set the index based on the host. This too depends on your preference and the size of your deployment.

TL;DR yes its possible, but Splunk was not designed to be used this way, so you're looking at a lot of hurdles to make it work. And depending on what the data is, where it comes from, and how it is generated, there may be licensing concerns as well.

Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...