Hello, I'm relatively new to Splunk. The company I work for is in the process of deciding between using Splunk or ELK.
Our requirements are to collect data from many machines/servers and strictly separate data by e.g. department or branch office.
In my opinion the Splunk architecture looks like this:
A client has a forwarder installed on it. This forwarder sends data to a specific heavy forwarder.
The HF then parses data to an indexer where it is indexed and later can be searched by the search application.
I didn't find anything about how to separate data in the Splunk documentation.
Does anyone know where you could start the separation?
Is it possible to start it right at the HF?
Does anyone have a link to documentation for it?
Thanks in advance!
... View more