I was able to pull the log in splunk one tenant at a time, but I only have Splunk prod environment. Therefore, I need to pull log from 3 SP tenant.
The splunk application owner tells me that according to the Sailpoint document: SailPoint Identity Security Cloud AuditEvent Add-on for Splunk - Installation and User Guide - Compass
Additional setting doesn’t have option for multiple tenant.
Please let me know if there is any solution to this problem.
Thank you
Bijen
Hi @Bmaharjan ,
The SailPoint Identity Security Cloud AuditEvent add-on does not currently have multi tenant support. It has the ability to extract audit information from only one of the Identity Security Cloud tenant using Splunk Enterprise or Splunk Cloud.
When you have more than one Identity Security Cloud instances (dev, test, prod), how do you configure the Add-on?
For more than one IdentityNow instances, you would need two different setup. The add-on settings takes precedence over data input settings and since the add-on currently does not have multi tenant support, details for add-on settings and data input will have to be same.
Hope this information helps.
-Regards,
Dhara Shah
Are there any other way to pull log in Splunk from all three tenant beside Cloud Audit Event add-on?
Hi @Bmaharjan ,
It is an expected behavior to pull events from one ISC tenant to splunk platform.
Like I mentioned earlier,
For more than one IdentityNow instances, you would need different setup. The add-on settings takes precedence over data input settings and since the add-on currently does not have multi tenant support, details for add-on settings and data input will have to be same.
Hope this information helps.
-Regards
Dhara Shah
Hi @Bmaharjan, were you able to fetch ISC logs from different environments into Splunk ?
No Ma’am. I was not able to pull from different tenant.
Hi,
In our context we created a second index to load sandbox data from another instance of the module and it works as expected.
Regards