Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to forward data from single UF to two different deployment servers (2 Splunk enterprise)?

Ashwini008
Builder
‎05-19-2022 11:31 PM

Hi,

I have requirement where i need to configure the UF to send the data to two different deployment servers or in other terms to two different Splunk enterprise.

We are doing this because the application team data needs to be sent to two different project 'Splunk enterprise' and here one Splunk enterprise needs audit logs and other Splunk enterprise needs Infrastructure data. Based on compliance with Company Security Policy ,Each Splunk enterprise should have the control to manage their own logs while having control over their Deployment servers.

Hence please let me know  if there is any approach where i am able to configure two deploymentclient.conf in one UF and send data to two different deployment servers.

 

Thank You! 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-20-2022 07:49 AM

First, no data is ever sent to a Deployment Server.  Data is only sent to indexers.  A DS is only contacted to get apps.

Second, a deployment client can have one and only one Deployment Server.  Trying to have more than one DS control a UF would result in continual changes on the UF as each DS overrides the other.

Yes, it's possible for a forwarder to send to two different sets of indexers, but only heavy forwarders can do that.  See https://docs.splunk.com/Documentation/Splunk/8.2.6/Forwarding/Routeandfilterdatad

It sounds like the best solution to meet your needs is to have two UFs installed on each server, with each UF managed by a different project team and DS.  If you do this, take care to ensure the UFs are installed in separate directories and do not share inputs or ports.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Ashwini008
Builder
‎05-23-2022 02:32 AM

@richgalloway  Thanks for the response. But we cannot install two UF's since we are using WINDOWS Server which does not allow to install 2 UF's in one Server.


And we need to send data to two different Splunk Enterprise from one single Windows Server where both the Splunk Enterprise Deployment Servers should have control over the logs from the windows server

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-23-2022 08:45 AM

It's not possible for two Deployment Servers to control the same forwarder.  Since you can have only one UF on your servers, you'll have choose one DS to manage them, either one of the existing DSs or a separate one shared by both teams.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...