I am building our new dashboards and alerts in our Acceptance environment, later we will move the whole app to Production. The issue at the moment is that on Acceptance file transfers are named like A03811 and on Production this file transfer is P03811. I don't want to change all of the searches that need to differentiate between the environments after we deploy the app to Production so I am trying to find a way to check the environment in the search and change things accordingly.
What suggestion do you have to deal with this?
Lets sat your fieldname for file is filename, i.e. filename="A03811" and filename="P03811" for Acceptance and Prod environment respectively
Eventtype for Acceptance Environment:
getEnvFiles --> <YourBaseSearchWithIndexSourceType_etc> filename="A*"
Eventtype for Prod Environment:
getEnvFiles --> <YourBaseSearchWithIndexSourceType_etc> filename="P*"
Then in your dashboard search you can use the following which will be the same for both environments:
eventtype="getEnvFiles" filename="*03811"
Also for manually setting environment, you can define macro with env parameter as A
or P
setEnv("A") or setEnv("P")
which set the eventtype similar to getEnvFiles i.e. for example when the macro argument is "A"
<YourBaseSearchWithIndexSourceType_etc> filename="A*"
Let me know if this is sufficient or you need further details.
Thank you! I am going to try this out.
Assuming all of the data is sent to the same indexers, You could add an input (drop-down / multiselect / radio button) to your dashboards (in essence making it a form) and pass a token to the search in place of the filename. If your not familiar on how to do this I would suggest reading up on it. See: http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens
Look for the "define tokens in inputs" section. This can also be done via the gui by going to your dashboard, click edit, click add input, [ choose your input type ] and then fill out in the sections. If you need more help let me know.
I did consider this option. But that isn't going to work in an alert. Also it would be a fairly pointless form input since Splunk A and Splunk P are on different servers.
@Bob_Bard, in your existing App in the acceptance environment do you have logic around Filename starting with A
? Or are you using the file name as is for display? Also what is the field
for filename?
@niketnilay, I am not sure I understand what you are asking. A03811 is a file transfer that moves some blabla842.csv file to a different location. All the file transfers in our acceptance environment start with an A and all the corresponding ones in production start with a P. When a file transfer has occurred we log the status (either "success" or "failed"). I want to put the failed ones on a dashboard. Everything works fine, except that when I would move the app to production it would look for file transfer A03811 and find nothing. It needs to look for P03811 instead.
@Bob_Bard, I wanted to confirm the dependency on file transfer A03811. What exactly in your app refers to this? Or rather how is it hard-coded? Is it a field, index, sourcetype or something else?
In our case we had two indexes one for stage (index="stage_blahblah") and another one for prod (index="blahblah").
We had created the same eventtype
in stage
and prod
which was referred by macro
call with argument as stage or prod.
In case of stage the event type was somename
to set index="stage_blahblah"
and macro call was setEnv("stage")
In case of stage the event type was also somename
to set index="blahblah"
and macro call was setEnv("prod")
This way the dashboard code remained the same just that we had to change event type definition in stage and prod. Also manually we could just change the argument of setEnvironment macro to override settings to switch from one environment to another (like smoke testing prod environment etc.)
Ah, A03811 would be a field.
I hadn't yet thought of using a macro. I could have a macro that simply expands into A or P and use that in a replace.