I want to run Splunk as a Shared Service, where different teams would have their share of the license and their own index. I believe there are two ways to set it up:
Have one Splunk server installation with Splunk forwarders all indexing data into a single pool. With this approach, I can have a scheduled search that checks how much data was consumed by each index, send out alerts, and possibly shut down the port that receives data from forwarders that belong to the team that has violated (or is close to violating) their capacity.
Install a new Splunk server for each team and thus create license pools for each team. This will make license usage clearly visible on the License Page. And if one team violates continuously, only their pool will be effected, while others will be safe. However, the down-side of this approach is running (and maintaining) several Splunk Servers. What if I have 10 teams using my Splunk? Is it really a good idea to have 10 Splunk Servers running?
So I am looking for some suggestions on the best way to design this setup. Is there some recommended standard? Is one way clearly better than another? Is there a third option that I am not aware of?
... View more