We're currently looking at setting up a centralized "Splunk Service" within our organization. The idea would be that different user groups could use some common infrastructure which they wouldn't have to manage, and all they'd have to do is define their dashboards, searches, etc. We would like to be able to "carve up" our license to isolate each user group from the others so that one misbehaving user sending too many logs won't leave the others with a license violation.
I understand that one way of setting this up is with a common license manager and multiple indexers and license pools, but handling several indexers would increase our support load, plus we would need more hardware. Are there any other options? Has anybody set up anything similar?
The current license master/slave architecture allows you to carve up your license stack into pools.
Each pool is then self contained with respect to its license violations.
You can then assign Splunk Indexers (License Slaves) to a particular pool.
So currently this is the lowest granularity for assigning to pools and you'd need, at the minimum, a Splunk Indexer Server per user group in your organization.
What would be nice is if you could assign each index to a pool rather than the actual Splunk Indexer server, then you could have an index for each group assigned to their own license pool all running on the same Indexer server (or cluster of Indexer servers).
That is exactly what we would like to do. This would allow us to manage a group of indexers so that our users wouldn't have to. All they would have to do is send their logs there and configure an App, and we would deal with the rest.