If you are a service provider, it is not necessary to set up a dedicated Splunk server for every customer. Splunk fully supports multi-tenancy and uberAgent does, too. This article describes how to configure it.
Splunk stores data in indexes. An index is conceptually similar to a database except that it does not have a fixed schema. Regarding multi-tenancy the important thing is that you can set permissions per index.
Setting up a multi-tenant Splunk & uberAgent installation is simple. We are going to follow the concept outlined in the Splunk blog.
Actually, all you have to do is described very well in the Splunk blog article mentioned earlier. Here is a summary:
- Create a unique index per customer. Please note that all uberAgent indexes should start with a common prefix (e.g. “uberagent”) so that they can be searched with a single wildcard statement (e.g. “uberagent*”). Valid names would be uberagent-customer1 and uberagent-customer2.
- To set up custom index names follow the instructions in this article.
- Configure users according to the Splunk blogs article.
If you have configured this, you have a setup where Splunk administrators can search everything while individual customer admins can only search their own data.
Do you have questions that were not answered here? Please ask us, we are happy to help!