All Apps and Add-ons

Why don't the splunk for windows and splunk for AD app use the same index for perfmon data?

msarro
Builder

In the splunk for windows app, all perfmon data gets stored in the main index. In the splunk for AD app, all perfmon data gets stored in the perfmon index. Why don't they use the same index? Given that they're all supported by splunk, it doesn't make much sense. Especially since the splunk for AD app requires the splunk TA from the windows app.

Why should we take it in a second time? That counts double towards our license utilization, further impacts performance on both the indexer and forwarder, and takes twice as much storage on the indexer.

halr9000
Motivator

By the way, I had notified our Windows PM about this question a couple of days ago.

0 Karma

lukejadamec
Super Champion

I believe the rule is, don't install the TA for Windows, and the Windows AD AddOn on an ADDC system. The Windows ADDC AddOn does everything that the TA does, so it is just a duplicate minus some to install the Windows TA.

Regardless of the rules, why do you want to manage a DC the same way as a MS?

Sure, the Windows Perfmon App is fancy, but it is not much help with managing a DC.
One size fits all only makes sense if your making pea soup with only peas, grits, oatmeal, prime time TV show, etc....

0 Karma

msarro
Builder

That is great - the problem is that the different apps are sending the same data to different indexes, and the dashboards/searches in each app are set up to look in their own location for the same data. That doesn't make sense. I have opened a support ticket with Splunk and they have acknowledged it as an issue that should be resolved.

As for the reasoning, both apps had originally been required for the splunk exchange app. This appears to no longer be the case (the windows app is required, the SA for AD is required instead of the full app).

0 Karma

msarro
Builder

All of the splunk-created dashboards refer to the indexes by name, so it actually matters here. If I was doing self-created searches, that would be one thing. However these applications already contain tens if not hundreds of canned searches, which all would need to be re-written. That's why the index matters to me. To avoid double-dipping would require me to rewrite a significant amount of searches inside the splunk apps. It would also require the same work every time the apps are updated. To me the indexes are the same, I just don't want to pay to index the same data twice.

0 Karma

BenjaminWyatt
Communicator

To add my own two cents: I think the issue for me is simply that it's annoying to have perfmon data residing in different indexes. Given that there aren't really any security constraints around perfmon data, and whatever data retention policies exist are probably going to be standard across most of the servers you are collecting perfmon data from, there just doesn't seem to be a good reason to have them sent to different indexes "out of the box".

I grant you that this is easy enough to fix at the app level - it just seems like an inelegant design to have to work with.

0 Karma

halr9000
Motivator

I won't argue the (valid) point, but I'll answer your question with a question:

For most purposes, you can abstract this away by omitting the index, or using an OR in a search. I'm interested in hearing why the index matters to you? Maybe you can modify your question to expand on this? Indexes are used as security boundaries, or as a container for data retention settings. For example, "I want to keep data in this index for 30 days, but that index for 365 days, with an archive to tape for even longer". Are "main" and "perfmon" indexes different enough to you, that you would treat differently?

0 Karma