Splunk Enterprise

How to forward data from single UF to two different deployment servers (2 Splunk enterprise)?

Ashwini008
Builder

Hi,

I have requirement where i need to configure the UF to send the data to two different deployment servers or in other terms to two different Splunk enterprise.

We are doing this because the application team data needs to be sent to two different project 'Splunk enterprise' and here one Splunk enterprise needs audit logs and other Splunk enterprise needs Infrastructure data. Based on compliance with Company Security Policy ,Each Splunk enterprise should have the control to manage their own logs while having control over their Deployment servers.

Hence please let me know  if there is any approach where i am able to configure two deploymentclient.conf in one UF and send data to two different deployment servers.

 

Thank You! 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

First, no data is ever sent to a Deployment Server.  Data is only sent to indexers.  A DS is only contacted to get apps.

Second, a deployment client can have one and only one Deployment Server.  Trying to have more than one DS control a UF would result in continual changes on the UF as each DS overrides the other.

Yes, it's possible for a forwarder to send to two different sets of indexers, but only heavy forwarders can do that.  See https://docs.splunk.com/Documentation/Splunk/8.2.6/Forwarding/Routeandfilterdatad

It sounds like the best solution to meet your needs is to have two UFs installed on each server, with each UF managed by a different project team and DS.  If you do this, take care to ensure the UFs are installed in separate directories and do not share inputs or ports.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Ashwini008
Builder

@richgalloway  Thanks for the response. But we cannot install two UF's since we are using WINDOWS Server which does not allow to install 2 UF's in one Server.


And we need to send data to two different Splunk Enterprise from one single Windows Server where both the Splunk Enterprise Deployment Servers should have control over the logs from the windows server

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's not possible for two Deployment Servers to control the same forwarder.  Since you can have only one UF on your servers, you'll have choose one DS to manage them, either one of the existing DSs or a separate one shared by both teams.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...