I have several clients that I want to pull data in from. I want to be able to keep the data separate, is that possible?
Valid point mcmaster,
comiing to your requirement dahz,
splunk provide's data separation with respect to indexers
eg: data differs from HR, Security, Application developers team in which they are keen of.
[monitor:///source/sourcetype/path/location/xxxx.log]
disabled = false
index = HR
host = xxxx
sourcetype = xxxx
[monitor:///source/sourcetype/path/location/xxxx.log]
disabled = false
index = Security
host = xxxx
sourcetype = xxxx
You can put the data into separate indexes, which will keep the data separate, however Splunk is not designed to be multi-tenant. There may also be licensing concerns, which you should ask your sales rep about to be sure you're meeting those rules. Keep in mind few if any apps are designed for multi-tenancy, and many expect data to be in an index of their choosing, so you will find yourself modifying nearly every app you want to use to support your use case.
Assuming you're OK with these gotchas, you can replicate whatever indexing scheme you would use for a single customer deployment for the multi customer design. For example, if you separate indexes by data type, you could have indexes such as "gizmos_acme", "widgets_acme", etc. Or, if you separate data by retention period, you could have "90d_acme", "180d_acme", "1y_acme", etc. This all depends on your preference.
You will also need to specifically configure things to go into each customer's index. There are a few options for doing this as well. You can manually configure each forwarder's inputs for the proper customer names, or you could do it dynamically using props/transforms configs to set the index based on the host. This too depends on your preference and the size of your deployment.
TL;DR yes its possible, but Splunk was not designed to be used this way, so you're looking at a lot of hurdles to make it work. And depending on what the data is, where it comes from, and how it is generated, there may be licensing concerns as well.