Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Best practices for implementing a Splunk Service

alexiri
Communicator
‎04-25-2012 05:24 AM

We're currently looking at setting up a centralized "Splunk Service" within our organization. The idea would be that different user groups could use some common infrastructure which they wouldn't have to manage, and all they'd have to do is define their dashboards, searches, etc. We would like to be able to "carve up" our license to isolate each user group from the others so that one misbehaving user sending too many logs won't leave the others with a license violation.

I understand that one way of setting this up is with a common license manager and multiple indexers and license pools, but handling several indexers would increase our support load, plus we would need more hardware. Are there any other options? Has anybody set up anything similar?

Reply

Damien_Dallimor
Ultra Champion
‎04-30-2012 09:33 PM

The current license master/slave architecture allows you to carve up your license stack into pools.
Each pool is then self contained with respect to its license violations.
You can then assign Splunk Indexers (License Slaves) to a particular pool.
So currently this is the lowest granularity for assigning to pools and you'd need, at the minimum, a Splunk Indexer Server per user group in your organization.

What would be nice is if you could assign each index to a pool rather than the actual Splunk Indexer server, then you could have an index for each group assigned to their own license pool all running on the same Indexer server (or cluster of Indexer servers).

0 Karma
Reply

alexiri
Communicator
‎05-02-2012 06:25 AM

That is exactly what we would like to do. This would allow us to manage a group of indexers so that our users wouldn't have to. All they would have to do is send their logs there and configure an App, and we would deal with the rest.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...