Hello everybody.
I deployed a Splunk Enterprise Security in a distributed environment for our customer. He also has many customers and he doesn't want to see all the logs together. I've heard ES does not support multi-tenant natively, but at the moment, he wants to have separable reports for customer or see in the dashboard which data belongs to whom.
I don't know if there is a way to reach that. If you know, I will appreciate any help.
I've been looking for something similar and I got this:
Best regards.
The Splunk App for Enterprise Security is not supported in a multi-tenant environment at this time. We do have many service providers running Splunk Enterprise to support multiple customers within one Splunk instance. With the App for ES you would need to spin up a separate instance for each customer.
Hi everyone, it's there any progress about multi-tenant with ES?
I would suggest splitting on SH only, while all the indexes will have to be customized.
No, there hasn't.
The Splunk App for Enterprise Security is not supported in a multi-tenant environment at this time. We do have many service providers running Splunk Enterprise to support multiple customers within one Splunk instance. With the App for ES you would need to spin up a separate instance for each customer.
From your statement it is not completely clear on what you are trying to achieve, if your trying to split the ES product such that users see different data within different dashboards, then I don't think that is going to be possible.
If you want to allow users to have reports of their subsection of the data, then that would be possible.
To explain my answer a little bit further, the data models used within ES are going to either be accessible or not accessible to particular Splunk roles. If a user has access to the data model they see what is within the data model.
If your referring to data in indexes you can restrict which roles have access to the index, but this would be normal Splunk, not specific to the ES app itself. You could also potentially use search filters to provide some level of restriction on which roles can see which parts of the index although this has limitations.
If you need to have different views of the ES application then I think the best you could do would be to build multiple search heads (or search head clusters), and have them look at different indexes. However this would mean that you no longer have a single ES with all security data visible..
Hello, thanks for your reply :).
I asked to many people and everybody says I will need a separate instance for each customer, like you said in your first answer.
Best regards.
The Mothership app may possibly be of use for the above described scenario. https://splunkbase.splunk.com/app/4646/