Deployment Architecture

Index assignment for related sub-networks

Contributor

An enterprise network has many sub-networks each with UniversalForwarders forwarding to a central pool of Indexers.
The data from each sub-network should be contained within it's own index, e.g.:

  • index=site1-windows
  • index=site1-unix
  • index=site2-windows
  • index=site2-unix

Since managing many hundreds of IPs in the blacklist/whitelists on a single Deployment Server is painful, what is the recommended approach to ensure the deployment-clients from one subnet properly assign the data to the correct index?

Here are two possibilities, but am certainly open to other suggestions (or a confirmation that one of these is best-practice):

  • A separate Deployment Server for each sub-network. This is a lot of extra work and duplication, but allows use of "machineTypes" and requires less ongoing *list maintenance.
  • Parsing configs on the Heavy Forwarders to assign the correct index based on subnet via regexes

Thanks in advance.

0 Karma

Splunk Employee
Splunk Employee

You can set the "clientName" item in the deploymentclient.conf file when you initially install the forwarders, then use that in your whitelist/blacklists to distinguish broad classes of machine like this. Each site will have a base install package that differs only in that setting, but can all go back to the same Deployment Server.

0 Karma

Contributor

Thanks gkanapathy.
Using clientName means blacklists/whitelists will still need to be used, but only on the base install package stanza. This will make the serverclass.conf cleaner, but still has the same complication of managing the *lists. Correct?
Also, this still requires separate deployment-apps for each "index" variation. Is there a simple way around this, that I am missing?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!