Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to forward data from single UF to two different deployment servers (2 Splunk enterprise)?

Ashwini008
Builder
‎05-19-2022 11:31 PM

Hi,

I have requirement where i need to configure the UF to send the data to two different deployment servers or in other terms to two different Splunk enterprise.

We are doing this because the application team data needs to be sent to two different project 'Splunk enterprise' and here one Splunk enterprise needs audit logs and other Splunk enterprise needs Infrastructure data. Based on compliance with Company Security Policy ,Each Splunk enterprise should have the control to manage their own logs while having control over their Deployment servers.

Hence please let me know  if there is any approach where i am able to configure two deploymentclient.conf in one UF and send data to two different deployment servers.

 

Thank You! 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-20-2022 07:49 AM

First, no data is ever sent to a Deployment Server.  Data is only sent to indexers.  A DS is only contacted to get apps.

Second, a deployment client can have one and only one Deployment Server.  Trying to have more than one DS control a UF would result in continual changes on the UF as each DS overrides the other.

Yes, it's possible for a forwarder to send to two different sets of indexers, but only heavy forwarders can do that.  See https://docs.splunk.com/Documentation/Splunk/8.2.6/Forwarding/Routeandfilterdatad

It sounds like the best solution to meet your needs is to have two UFs installed on each server, with each UF managed by a different project team and DS.  If you do this, take care to ensure the UFs are installed in separate directories and do not share inputs or ports.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Ashwini008
Builder
‎05-23-2022 02:32 AM

@richgalloway  Thanks for the response. But we cannot install two UF's since we are using WINDOWS Server which does not allow to install 2 UF's in one Server.


And we need to send data to two different Splunk Enterprise from one single Windows Server where both the Splunk Enterprise Deployment Servers should have control over the logs from the windows server

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-23-2022 08:45 AM

It's not possible for two Deployment Servers to control the same forwarder.  Since you can have only one UF on your servers, you'll have choose one DS to manage them, either one of the existing DSs or a separate one shared by both teams.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...