All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Does the Splunk for XenApp app need three different Indexes?

mohankesireddy
Path Finder
‎08-28-2013 12:54 PM

Hi Every one, I am doing a POC with the xenapp in out environment. I am able to install and get all the charts tables populate with data. But it uses three different Indexes, my question is does it really need three different indexes, is there any specific reason why it uses three different indexes. any help is greatly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rturk
Builder
‎08-28-2013 11:01 PM

Hi Mohankesireddy,

Looking at the XenApp app I have here, I have the following indexes:

  • xenapp
  • xenapp_alerts
  • xenapp_perfmon
  • xenapp_winevents

The following reasons apply to not only the XenApp app, but pretty much any other complex app you care to think of...

Different security requirements for data - An index is the lowest logical unit that security may be effectively applied to. For example, you want your Ops team to see the alerts data, but not the perfmon data (not a realistic example, but I hope you understand my meaning).

Different retention rates - You may want to keep your alert data, and winevents data for 30 days, but only care about your perfmon data for 7 days. Separate indexes allow you this flexibility (and is crucial for compliance purposes)

Different storage requirements - What is another team needed to use some data in a mission critical manner (e.g. alerting) so needs to ensure that their searches run as quickly as possible. With separate indexes you can specify separate (quicker) storage tiers making this possible. Alternatively, you might need to backup some security related data for long periods (e.g. 7 years) to you can move that indexes data to cheaper storage.

Effective compression - Grouping similar data together helps with compression rates.

Summary Indexing - The creation of an additional index for the purposed of summarisation greatly increases the performance of apps, dashboards, and searches.

There are a bunch of other reasons (incl. performance), but I believe these alone justify why it's a good idea to use multiple indexes... all of which would have been relevant to the developer as they created the XenApp app.

Hope this helps 🙂

View solution in original post

Reply
Solved! Jump to solution

mohankesireddy
Path Finder
‎09-03-2013 10:22 AM

Hi Turk,

No there is not specific reason, Just wanted to understand why they need three different indexes.

0 Karma
Reply
Solved! Jump to solution

rturk
Builder
‎08-28-2013 11:02 PM

Hi there - Is there any reason why you think this would be a problem?

0 Karma
Reply
Solved! Jump to solution
Solution

rturk
Builder
‎08-28-2013 11:01 PM

Hi Mohankesireddy,

Looking at the XenApp app I have here, I have the following indexes:

  • xenapp
  • xenapp_alerts
  • xenapp_perfmon
  • xenapp_winevents

The following reasons apply to not only the XenApp app, but pretty much any other complex app you care to think of...

Different security requirements for data - An index is the lowest logical unit that security may be effectively applied to. For example, you want your Ops team to see the alerts data, but not the perfmon data (not a realistic example, but I hope you understand my meaning).

Different retention rates - You may want to keep your alert data, and winevents data for 30 days, but only care about your perfmon data for 7 days. Separate indexes allow you this flexibility (and is crucial for compliance purposes)

Different storage requirements - What is another team needed to use some data in a mission critical manner (e.g. alerting) so needs to ensure that their searches run as quickly as possible. With separate indexes you can specify separate (quicker) storage tiers making this possible. Alternatively, you might need to backup some security related data for long periods (e.g. 7 years) to you can move that indexes data to cheaper storage.

Effective compression - Grouping similar data together helps with compression rates.

Summary Indexing - The creation of an additional index for the purposed of summarisation greatly increases the performance of apps, dashboards, and searches.

There are a bunch of other reasons (incl. performance), but I believe these alone justify why it's a good idea to use multiple indexes... all of which would have been relevant to the developer as they created the XenApp app.

Hope this helps 🙂

Reply
Solved! Jump to solution

mohankesireddy
Path Finder
‎09-03-2013 10:22 AM

Thanks Turk. this helps.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...