MSaaS: A Conceptual Multi-Splunk Architecture Framework for Multitenant Splunk Deployments for MSPs, MSSPs and Enterprises

Organizations with large-scale, multitenant Splunk Enterprise deployments need to provide data segregation and access control for individual tenants to meet regulatory requirements or internal security policies. In addition, they need a scalable solution that can successfully handle the volume of data and the growing number of instances under management. These organizations strive to speed deployment and manage both deployment and upgrade risk, all while controlling administrative costs. They need a cost-efficient approach that reduces the marginal cost of each additional Splunk Enterprise instance and helps optimize their total cost of ownership of the platform.

Multiple Splunk as a Service (MSaaS) is an architectural framework that proposes a multi-instance approach to supporting multiple internal or external customers. Although multiple customers can be supported on a single Splunk Enterprise instance, the multi-instance approach is inherently more scalable and provides essential data segregation capabilities in a multi-tenant environment. The Splunk Enterprise licensing model, together with indexing volume tracking for each individual instance, can be used as a basis for flexible chargeback plans for individual clients. Leveraging this multi-instance approach can provide an economical and scalable solution for managing multitenant deployments.

The MSaaS approach proposes an automated, on-demand request process to provision Splunk Enterprise instances as needed for individual clients, or to tailor deployments for operational reasons within an organization. Investing in the design and implementation of an MSaaS architecture benefits ROI when deploying new Splunk Enterprise instances. The automated deployment process can be very time efficient—taking minutes or hours to deploy, integrate, and test a new Splunk Enterprise instance. Deployment is packaged and modular, and it is consistent across all instances. This consistency reduces the risk of introducing errors and simplifies managing the deployed instances. Integration with a version control system (VCS) provides reliable tracking and control of the deployed configuration files, reduces the risks associated with periodic configuration changes, and enables rollback to a known stable state when carrying out changes. Using a configuration management system (CMS) provides ease of deployment and scalability for large implementations and promotes consistency and reliability.
The MSaaS architecture is highly flexible and supports custom configuration for each deployed Splunk Enterprise instance.

The Multiple Splunk as a Service (MSaaS) technical white paper describes a conceptual framework for designing an MSaaS architecture that supports multitenant Splunk Enterprise deployments as a service. It describes the MSaaS architecture, outlines typical administration and deployment tasks, and describes an example implementation of this architecture by a Splunk partner.

Diagram of MSaaS architecture implemented at Schuberg Philis

MSaaS architecture implemented at Schuberg Philis

Implementing the MSaaS architecture at Schuberg Philis was a success, with 15 deployed customer islands (as of publication). Before embarking on the MSaaS based design and implementation, the company was confident of the Splunk Enterprise software capabilities but required a strategy to help it efficiently deploy and manage multiple instances. The MSaaS-based Splunk Enterprise deployment enabled Schuberg Philis to successfully provide support for mission-critical applications for multiple customers without having to allocate significant resources for its ongoing maintenance, and the manageability, performance and scalability of the solution met their requirements.

The biggest benefit of the MSaaS architecture deployed at Schuberg Philis is the huge efficiency achieved by the automatic deployment of new Splunk Enterprise instances for customers. Deployment time takes approximately one hour per Splunk instance or island. In addition, by having a scripted deployment, the potential for human errors and misconfigurations are minimal. The use of a VCS provides a valuable audit trail for tracking new deployments, upgrades and changes to configurations. This flexible solution enables Schuberg Philis to efficiently provide a scalable solution for a growing number of customers with very little Splunk-related marginal overhead per customer.

The MSaaS architecture enables Schuberg Philis to track and understand per-customer usage. Although they are currently not implementing per-customer utilization chargeback, they can easily add this functionality at any time if their business requirements change.

Click here to download the white paper. Click here to download any Splunk white paper.