Hi
I'm considering to build a shared Splunk instance and offer it to our hosting customers. Each customers data goes to their own index and their search scope is limited to that index, so security/customer separation is ok.
But if a single customer suddenly generates more data, than our license permits, then he can block the other customers from searching (well - if it happens 7 times in a rolling 30 days, at least). That situation is of cause not acceptable.
Is there any way to stop incoming data or limit it to a certain amount?
Best regards,
Karsten
... View more