How to achieve multi-tenancy in Splunk UBA and ES?
Bringing this back to life:
1) It looks like with ES 6.4, Splunk brought the solution of Entity Zones. I personally have not played with it yet but will be very soon. https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Entityzones
So at first glance this looks like the solution if you are just playing with ES. Now we bring in the big wrench like UBA. I have not found yet a solution to have multiple tenants going into one UBA. You will have ip overlap issue...
Has anyone have more to add to this and\or do we know if there is a solution or one coming down the pipe?
There is no multi-tenancy in ES.
@starcher then any workaround to achieve this? Can we edit ES searches and keep separate index per customer and restrict data access using user roles?
No there is no easy way to create borders in ES. Hence there not being multi tenant already. I don't know UBA. You should ask your sales rep and they can arrange more specific calls with appropriate Splunk product specialists.
Also how the case differs with UBA?