Monitoring Splunk

multiple clients

dahz
New Member

I have several clients that I want to pull data in from. I want to be able to keep the data separate, is that possible?

Tags (1)
0 Karma

neelamssantosh
Contributor

Valid point mcmaster,
comiing to your requirement dahz,
splunk provide's data separation with respect to indexers
eg: data differs from HR, Security, Application developers team in which they are keen of.

[monitor:///source/sourcetype/path/location/xxxx.log]
disabled = false
index = HR
host = xxxx
sourcetype = xxxx

[monitor:///source/sourcetype/path/location/xxxx.log]
disabled = false
index = Security
host = xxxx
sourcetype = xxxx

0 Karma

mcmaster
Communicator

You can put the data into separate indexes, which will keep the data separate, however Splunk is not designed to be multi-tenant. There may also be licensing concerns, which you should ask your sales rep about to be sure you're meeting those rules. Keep in mind few if any apps are designed for multi-tenancy, and many expect data to be in an index of their choosing, so you will find yourself modifying nearly every app you want to use to support your use case.

Assuming you're OK with these gotchas, you can replicate whatever indexing scheme you would use for a single customer deployment for the multi customer design. For example, if you separate indexes by data type, you could have indexes such as "gizmos_acme", "widgets_acme", etc. Or, if you separate data by retention period, you could have "90d_acme", "180d_acme", "1y_acme", etc. This all depends on your preference.

You will also need to specifically configure things to go into each customer's index. There are a few options for doing this as well. You can manually configure each forwarder's inputs for the proper customer names, or you could do it dynamically using props/transforms configs to set the index based on the host. This too depends on your preference and the size of your deployment.

TL;DR yes its possible, but Splunk was not designed to be used this way, so you're looking at a lot of hurdles to make it work. And depending on what the data is, where it comes from, and how it is generated, there may be licensing concerns as well.

Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...