Is it possible to use one instance of Splunk to monitor two cloud vendor environments? As in an AWS and an Azure, and what would the architecture look like? Also, are there any downsides to doing this?
I would suggest, for your own sanity, setting up an indexer cluster and having AWS as one site and Azure as another, but monitoring both environments from one Splunk instance is easily achieved.
Why exactly would you recommend that? It means managing two different types of infrastructure, also different instance types and all. I would say it is much easier to manage a Splunk cluster that is fully built on either AWS or Azure, not split across both?
I can imagine it might be a bit easier if you can point Azure sources to the Azure indexer site and AWS sources to the AWS indexer site, but wondering if that advantage outweighs the disadvantages of having such a split set up?
If you do so: do make sure latency between those 2 environments is within acceptable limits. https://answers.splunk.com/answers/317146/what-is-the-maximum-latency-we-should-see-between.html mentions 100ms as a guideline.
My thoughts are around scale, as we could go with a number of cloud offerings over many tiers which we could then end up running loads of different splunk instances.. so I am concerned from an analysis point of view where we could end of with loads of screens to watch. and yes we would have indexers in both site environments to keep that continuity.
As long as you can arrange connectivity from each of those environments to your Splunk environment: sure.
Enabling connectivity from a certain cloud environment to somewhere else might be a bit more difficult than arranging connectivity within the environment, but technically there is no reason why you couldn't send logs from AWS hosted devices and from Azure hosted systems to a single Splunk environment.