Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to apply licenses at a more granular, per-user level in order to isolate usage?

bosburn_splunk
Splunk Employee
Splunk Employee
‎04-26-2012 10:49 AM

We're currently looking at setting up a centralized "Splunk Service" within our organization. The idea would be that different user groups could use some common infrastructure which they wouldn't have to manage, and all they'd have to do is define their dashboards, searches, etc. We would like to be able to "carve up" our license to isolate each user group from the others so that one misbehaving user sending too many logs won't leave the others with a license violation.

I understand that one way of setting this up is with a common license manager and multiple indexers and license pools, but handling several indexers would increase our support load, plus we would need more hardware.

Are there any other options? Has anybody set up anything similar?

Labels (2)
Labels
Reply

jimodonald
Contributor
‎09-22-2014 06:50 AM

The easiest method would be to set up separate indexers for each internal customer. This way you could set up different license pools for each customer. Clearly that would require you to manage groups of indexers and not your preferred method.

Alternatively, you can set up a CSV as a lookup table mapping the indexers on shared infrastructure to the internal customers and run a daily report to compare the actual indexed usage to the budgeted indexed usage by customer. There will not be any hard limits doing it this way, but it is a start with chargeback to the various business units.

0 Karma
Reply

jmheaton
Path Finder
‎09-19-2014 12:49 PM

I'm not sure if this is possible for your current environment or even recommended to do as the idea of this could collapse a star.
But what about running multiple instances of Splunk on a single indexer. Point the storage to separate places, configure the server.conf and the inputs.conf differently for the multiple instances. I have done this before on search heads and locally when i am testing a new app.
After you have the multiple instances open, link them up to your license and they should appear as two different indxers to split your license with.

0 Karma
Reply

alexiri
Communicator
‎09-22-2014 04:49 AM

This isn't any better than running multiple indexers on separate machines (or VMs). As a matter of fact, it's even worse, as it is more complicated and less standard.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...