Splunk Enterprise

How to forward data from single UF to two different deployment servers (2 Splunk enterprise)?

Ashwini008
Contributor

Hi,

I have requirement where i need to configure the UF to send the data to two different deployment servers or in other terms to two different Splunk enterprise.

We are doing this because the application team data needs to be sent to two different project 'Splunk enterprise' and here one Splunk enterprise needs audit logs and other Splunk enterprise needs Infrastructure data. Based on compliance with Company Security Policy ,Each Splunk enterprise should have the control to manage their own logs while having control over their Deployment servers.

Hence please let me know  if there is any approach where i am able to configure two deploymentclient.conf in one UF and send data to two different deployment servers.

 

Thank You! 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

First, no data is ever sent to a Deployment Server.  Data is only sent to indexers.  A DS is only contacted to get apps.

Second, a deployment client can have one and only one Deployment Server.  Trying to have more than one DS control a UF would result in continual changes on the UF as each DS overrides the other.

Yes, it's possible for a forwarder to send to two different sets of indexers, but only heavy forwarders can do that.  See https://docs.splunk.com/Documentation/Splunk/8.2.6/Forwarding/Routeandfilterdatad

It sounds like the best solution to meet your needs is to have two UFs installed on each server, with each UF managed by a different project team and DS.  If you do this, take care to ensure the UFs are installed in separate directories and do not share inputs or ports.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Ashwini008
Contributor

@richgalloway  Thanks for the response. But we cannot install two UF's since we are using WINDOWS Server which does not allow to install 2 UF's in one Server.


And we need to send data to two different Splunk Enterprise from one single Windows Server where both the Splunk Enterprise Deployment Servers should have control over the logs from the windows server

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's not possible for two Deployment Servers to control the same forwarder.  Since you can have only one UF on your servers, you'll have choose one DS to manage them, either one of the existing DSs or a separate one shared by both teams.

---
If this reply helps you, an upvote would be appreciated.
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...