Hi, i have to collect logs from multiple org with different accounts in my Splunk Enterprise Infrastructure. Is there a way to configure the Splunk App for Salesforce with multiple accounts/org, or do i have to install different apps (one for every org)?
Thank you
Matteo
Did you find a way to configure the Salesforce app with multiple accounts?
If I understand your question... You're interested in knowing how to have a different splunk_ta_windows for each org so each org can have its own settings for example.
This is an interesting question because some of these TAs feed into larger apps such as the Splunk app for windows infrastructure.
Typically in your situation I would recommend different search heads for each organization and if there are any regulatory issues that might be faced based on one org possibly having access to another orgs data, I would recommend completely separate environments.
However, if you're a conglomerate, and you want 10 of your different brands / divisions using splunk for example, but they each have their own active directory/ ldap domains / infrastructure, then i would just create an app for each of them like below:
OrgA_Splunk_TA_windows
OrgB_Splunk_TA_Windows
For each I would create their own roles and ldap strategies in different apps like below:
OrgA_Base_Auth
OrgB_Base_Auth
Same with indexes, and pretty much everything else.
However in most cases like this, I think you will find its still best to have separate infrastructure altogether. We know management loves the idea of "Multitenant" to save costs, but unless you have a seriously strong "big data" focused architecture team, you'll probably fail at engineering this pipe dream.
Hi splunk_cv,
if you need to grant administrative privileges to the two organization's persons, the best way is to have different Splunk instances for each organization.
If instead they are only users and you maintain the administrative privileges, you can both install different Apps for each of them or use the same App but every way with different Indexes, because Splunk access rights to data is given at Index level so you have to create different Indexes for each organization and (if you use the same App) address all the indexes in your App using an eventtype (e.g.: index=index1 OR index=index2
) instead the classical index =myindex
.
Bye.
Giuseppe