We are deploying hosting to various organizations in our "company". Each organization in our company may consist of numerous apps (100+ and 5,000+ employees). Our intention is to provide these organizations with an AWS Account, which would be consumed into our AWS deployment infrastructure. Each VPC/AWS Account will hold various apps and types of data.
My query is should I be looking to treat each of these accounts as a separate Splunk site (Multisite deployment) and searches are local to that VPC?
Or instead, should I route log traffic to a separate "master" VPC deployment as a larger clustered deployment?
Qty of apps/users is a sliding scale as our project grows. Today it's 1 app only - next year it could be 100 per organization.
I had initially intended to route logs securely to a single Splunk Enterprise cluster made up of say 1 search head & 2-3 indexes and grow out as demand grows. But on reading about multisite, there seems to be quite a lot of benefits. However, suspect costs saved via VPC traffic cost vs oodles of nodes/indexers/search heads per AWS account will be lost.
Or would it be better to view Multisite as a longer term strategy deployment of Splunk — as the project grows etc.. — and then migrate deployment at a later date?
Thoughts welcome.
↧