topic Re: Splunk Enterprise Security: Is it possible to implement multi-tenancy in a distributed search environment? in Splunk Enterprise Security

Splunk Enterprise Security: Is it possible to implement multi-tenancy in a distributed search environment?

jrballesteros05 — Thu, 20 Oct 2016 21:00:07 GMT

Hello everybody.

I deployed a Splunk Enterprise Security in a distributed environment for our customer. He also has many customers and he doesn't want to see all the logs together. I've heard ES does not support multi-tenant natively, but at the moment, he wants to have separable reports for customer or see in the dashboard which data belongs to whom.

I don't know if there is a way to reach that. If you know, I will appreciate any help.

I've been looking for something similar and I got this:

https://answers.splunk.com/answers/236674/security-app-with-multi-tentant.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev

Best regards.

Re: Splunk Enterprise Security: Is it possible to implement multi-tenancy in a distributed search environment?

gjanders — Fri, 21 Oct 2016 07:52:23 GMT

From your statement it is not completely clear on what you are trying to achieve, if your trying to split the ES product such that users see different data within different dashboards, then I don't think that is going to be possible.

If you want to allow users to have reports of their subsection of the data, then that would be possible.

To explain my answer a little bit further, the data models used within ES are going to either be accessible or not accessible to particular Splunk roles. If a user has access to the data model they see what is within the data model.

If your referring to data in indexes you can restrict which roles have access to the index, but this would be normal Splunk, not specific to the ES app itself. You could also potentially use search filters to provide some level of restriction on which roles can see which parts of the index although this has limitations.

If you need to have different views of the ES application then I think the best you could do would be to build multiple search heads (or search head clusters), and have them look at different indexes. However this would mean that you no longer have a single ES with all security data visible..

Re: Splunk Enterprise Security: Is it possible to implement multi-tenancy in a distributed search environment?

sdaniels — Fri, 21 Oct 2016 14:44:57 GMT

The Splunk App for Enterprise Security is not supported in a multi-tenant environment at this time. We do have many service providers running Splunk Enterprise to support multiple customers within one Splunk instance. With the App for ES you would need to spin up a separate instance for each customer.

Re: Splunk Enterprise Security: Is it possible to implement multi-tenancy in a distributed search environment?

jrballesteros05 — Mon, 24 Oct 2016 15:41:15 GMT

Hello, thanks for your reply :).

I asked to many people and everybody says I will need a separate instance for each customer, like you said in your first answer.

Best regards.

Re: Splunk Enterprise Security: Is it possible to implement multi-tenancy in a distributed search environment?

Doc_Yes — Sat, 17 Aug 2019 21:35:21 GMT

The Mothership app may possibly be of use for the above described scenario. https://splunkbase.splunk.com/app/4646/

Re: Splunk Enterprise Security: Is it possible to implement multi-tenancy in a distributed search environment?

rsulek — Tue, 11 Feb 2020 13:51:07 GMT

Hi everyone, it's there any progress about multi-tenant with ES?

Re: Splunk Enterprise Security: Is it possible to implement multi-tenancy in a distributed search environment?

richgalloway — Tue, 11 Feb 2020 15:31:27 GMT

No, there hasn't.

Re: Splunk Enterprise Security: Is it possible to implement multi-tenancy in a distributed search environment?

dolezelk — Mon, 17 Feb 2020 16:37:14 GMT

I would suggest splitting on SH only, while all the indexes will have to be customized.

Re: Splunk Enterprise Security: Is it possible to implement multi-tenancy in a distributed search environment?

mohdfadhlan — Tue, 22 Oct 2024 02:33:09 GMT

Since your last update on 21 Oct 2016 stating that Splunk Enterprise Security does not support multi-tenancy, what is the status right now? Does Splunk Enterprise Security is now support multi-tenancy?

Re: Splunk Enterprise Security: Is it possible to implement multi-tenancy in a distributed search environment?

MaverickT — Tue, 22 Oct 2024 07:12:43 GMT

Status is unchanged. Splunk ES is still long way from having multi tenancy supported as it is. Request for multi-tenancy is marked as "Future prospect" at Splunk Ideas portal: Add native multi-tenancy capability to Enterprise Security | Ideas.