All Apps and Add-ons

Splunk App for Salesforce: How to configure multiple accounts for different organizations?

splunk_cv
Explorer

Hi, i have to collect logs from multiple org with different accounts in my Splunk Enterprise Infrastructure. Is there a way to configure the Splunk App for Salesforce with multiple accounts/org, or do i have to install different apps (one for every org)?

Thank you
Matteo

splunker288
Explorer

Did you find a way to configure the Salesforce app with multiple accounts?

0 Karma

jkat54
SplunkTrust
SplunkTrust

If I understand your question... You're interested in knowing how to have a different splunk_ta_windows for each org so each org can have its own settings for example.

This is an interesting question because some of these TAs feed into larger apps such as the Splunk app for windows infrastructure.

Typically in your situation I would recommend different search heads for each organization and if there are any regulatory issues that might be faced based on one org possibly having access to another orgs data, I would recommend completely separate environments.

However, if you're a conglomerate, and you want 10 of your different brands / divisions using splunk for example, but they each have their own active directory/ ldap domains / infrastructure, then i would just create an app for each of them like below:

OrgA_Splunk_TA_windows
OrgB_Splunk_TA_Windows

For each I would create their own roles and ldap strategies in different apps like below:

OrgA_Base_Auth
OrgB_Base_Auth

Same with indexes, and pretty much everything else.

However in most cases like this, I think you will find its still best to have separate infrastructure altogether. We know management loves the idea of "Multitenant" to save costs, but unless you have a seriously strong "big data" focused architecture team, you'll probably fail at engineering this pipe dream.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi splunk_cv,
if you need to grant administrative privileges to the two organization's persons, the best way is to have different Splunk instances for each organization.

If instead they are only users and you maintain the administrative privileges, you can both install different Apps for each of them or use the same App but every way with different Indexes, because Splunk access rights to data is given at Index level so you have to create different Indexes for each organization and (if you use the same App) address all the indexes in your App using an eventtype (e.g.: index=index1 OR index=index2) instead the classical index =myindex.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...