All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does the Splunk for XenApp app need three different Indexes?

mohankesireddy
Path Finder
‎08-28-2013 12:54 PM

Hi Every one, I am doing a POC with the xenapp in out environment. I am able to install and get all the charts tables populate with data. But it uses three different Indexes, my question is does it really need three different indexes, is there any specific reason why it uses three different indexes. any help is greatly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rturk
Builder
‎08-28-2013 11:01 PM

Hi Mohankesireddy,

Looking at the XenApp app I have here, I have the following indexes:

  • xenapp
  • xenapp_alerts
  • xenapp_perfmon
  • xenapp_winevents

The following reasons apply to not only the XenApp app, but pretty much any other complex app you care to think of...

Different security requirements for data - An index is the lowest logical unit that security may be effectively applied to. For example, you want your Ops team to see the alerts data, but not the perfmon data (not a realistic example, but I hope you understand my meaning).

Different retention rates - You may want to keep your alert data, and winevents data for 30 days, but only care about your perfmon data for 7 days. Separate indexes allow you this flexibility (and is crucial for compliance purposes)

Different storage requirements - What is another team needed to use some data in a mission critical manner (e.g. alerting) so needs to ensure that their searches run as quickly as possible. With separate indexes you can specify separate (quicker) storage tiers making this possible. Alternatively, you might need to backup some security related data for long periods (e.g. 7 years) to you can move that indexes data to cheaper storage.

Effective compression - Grouping similar data together helps with compression rates.

Summary Indexing - The creation of an additional index for the purposed of summarisation greatly increases the performance of apps, dashboards, and searches.

There are a bunch of other reasons (incl. performance), but I believe these alone justify why it's a good idea to use multiple indexes... all of which would have been relevant to the developer as they created the XenApp app.

Hope this helps 🙂

View solution in original post

Reply
Solved! Jump to solution

mohankesireddy
Path Finder
‎09-03-2013 10:22 AM

Hi Turk,

No there is not specific reason, Just wanted to understand why they need three different indexes.

0 Karma
Reply
Solved! Jump to solution

rturk
Builder
‎08-28-2013 11:02 PM

Hi there - Is there any reason why you think this would be a problem?

0 Karma
Reply
Solved! Jump to solution
Solution

rturk
Builder
‎08-28-2013 11:01 PM

Hi Mohankesireddy,

Looking at the XenApp app I have here, I have the following indexes:

  • xenapp
  • xenapp_alerts
  • xenapp_perfmon
  • xenapp_winevents

The following reasons apply to not only the XenApp app, but pretty much any other complex app you care to think of...

Different security requirements for data - An index is the lowest logical unit that security may be effectively applied to. For example, you want your Ops team to see the alerts data, but not the perfmon data (not a realistic example, but I hope you understand my meaning).

Different retention rates - You may want to keep your alert data, and winevents data for 30 days, but only care about your perfmon data for 7 days. Separate indexes allow you this flexibility (and is crucial for compliance purposes)

Different storage requirements - What is another team needed to use some data in a mission critical manner (e.g. alerting) so needs to ensure that their searches run as quickly as possible. With separate indexes you can specify separate (quicker) storage tiers making this possible. Alternatively, you might need to backup some security related data for long periods (e.g. 7 years) to you can move that indexes data to cheaper storage.

Effective compression - Grouping similar data together helps with compression rates.

Summary Indexing - The creation of an additional index for the purposed of summarisation greatly increases the performance of apps, dashboards, and searches.

There are a bunch of other reasons (incl. performance), but I believe these alone justify why it's a good idea to use multiple indexes... all of which would have been relevant to the developer as they created the XenApp app.

Hope this helps 🙂

Reply
Solved! Jump to solution

mohankesireddy
Path Finder
‎09-03-2013 10:22 AM

Thanks Turk. this helps.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...