We are deploying hosting to various organisations in our "company". Each organisation in our company may consist of numerous apps (100+ and 5,000+ employees), our intention is to provide these organisations with an AWS Account which will be consumed into our AWS deployment infrastructure. Each VPC/AWS Account will hold various apps and types of data.
My querry is should I be looking to treat each of these accounts as a seperate splunk site (Multisite deployment) and searches are local to that VPC - or instead to route log traffic to seperate "master" VPC deployment as a larger clustered deployment.
Qty of apps/users is a sliding scale as our project grows. Today it's 1 app only - next year it could be 100 per organisation.
I had initialy intended to route logs securely to a single enterprise cluster made up of say 1 search head & 2-3 indexes and grow out as demand grows. But on reading about multisite there seems to be quite a lot of benefits - however suspect costs saved via vpc traffic cost vs oodles of nodes/indexers/search heads per AWS account will be lost. Or would it be better to view Multisite as a longer term stratergy deployment of splunk as project grows etc.. and then migrate deployment at a later date.
Thoughts welcome.
↧