Splunk Enterprise

How to forward data from single UF to two different deployment servers (2 Splunk enterprise)?

Ashwini008
Builder

Hi,

I have requirement where i need to configure the UF to send the data to two different deployment servers or in other terms to two different Splunk enterprise.

We are doing this because the application team data needs to be sent to two different project 'Splunk enterprise' and here one Splunk enterprise needs audit logs and other Splunk enterprise needs Infrastructure data. Based on compliance with Company Security Policy ,Each Splunk enterprise should have the control to manage their own logs while having control over their Deployment servers.

Hence please let me know  if there is any approach where i am able to configure two deploymentclient.conf in one UF and send data to two different deployment servers.

 

Thank You! 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

First, no data is ever sent to a Deployment Server.  Data is only sent to indexers.  A DS is only contacted to get apps.

Second, a deployment client can have one and only one Deployment Server.  Trying to have more than one DS control a UF would result in continual changes on the UF as each DS overrides the other.

Yes, it's possible for a forwarder to send to two different sets of indexers, but only heavy forwarders can do that.  See https://docs.splunk.com/Documentation/Splunk/8.2.6/Forwarding/Routeandfilterdatad

It sounds like the best solution to meet your needs is to have two UFs installed on each server, with each UF managed by a different project team and DS.  If you do this, take care to ensure the UFs are installed in separate directories and do not share inputs or ports.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Ashwini008
Builder

@richgalloway  Thanks for the response. But we cannot install two UF's since we are using WINDOWS Server which does not allow to install 2 UF's in one Server.


And we need to send data to two different Splunk Enterprise from one single Windows Server where both the Splunk Enterprise Deployment Servers should have control over the logs from the windows server

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's not possible for two Deployment Servers to control the same forwarder.  Since you can have only one UF on your servers, you'll have choose one DS to manage them, either one of the existing DSs or a separate one shared by both teams.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...