Splunk Search

Single deployment app for Prod, Test & DR.

Harinder_Singh
New Member

How we usually do business is; on our deployment server, we will create an app specific to its environment. Which can get repetitive and creates some overhead? Is it possible to consolidate this?

So, for instance, consider the following example:

We use Atlassian suite with a total of 7 products(Bamboo, Jira, etc.), each with Prod, Test, and DR environments. Is it possible to create a single app., for each product with the ability to differentiate between indices? i.e. - jira_test, jira_prod & jira-dr.

Tags (1)
0 Karma
1 Solution

amitm05
Builder

I would go with using the same index for your all Atlassian suite apps and env.
However I'd prefer to make use of event types and Tags to differentiate between my environments and apps.

E.g. If Hosts or Source IPs can be used to differentiate the environmental data, you could write an event type to say -
Host = xxx OR Host = yyy OR Host = zzz ...
Also create a Tag for this event type.

Also whatever the differentiator you have for recognizing the app specific event e.g. an App field, create an event type as
App = Jira
Also create a Tag for this event type.

Finally you would be able to see your data by simply querying something as :
Index = Atlassian tag = Production tag = Jira

Let me know if that suits you or anymore details are required.
Thanks.
Please upvote or accept as answer if it serves your purpose 🙂

View solution in original post

amitm05
Builder

I would go with using the same index for your all Atlassian suite apps and env.
However I'd prefer to make use of event types and Tags to differentiate between my environments and apps.

E.g. If Hosts or Source IPs can be used to differentiate the environmental data, you could write an event type to say -
Host = xxx OR Host = yyy OR Host = zzz ...
Also create a Tag for this event type.

Also whatever the differentiator you have for recognizing the app specific event e.g. an App field, create an event type as
App = Jira
Also create a Tag for this event type.

Finally you would be able to see your data by simply querying something as :
Index = Atlassian tag = Production tag = Jira

Let me know if that suits you or anymore details are required.
Thanks.
Please upvote or accept as answer if it serves your purpose 🙂

Harinder_Singh
New Member

@amitm05 this makes perfect sense and fits our use case. I will start working on implementing and get back to you with questions/updates I have.

Thanks a lot!

0 Karma

amitm05
Builder

Sure. Do let me know if it works out for you. Cheers !

0 Karma

amitm05
Builder

And also to mention that this would give you more flexibility on your searches. If in case you want to search over all bamboo data irrespective of your environment, you could simply say:
Index = Atlassian tag = Bamboo

And Yes of course, for once this will require you to do little work to setup all those tags and event types.

twinspop
Influencer

Don't name your indexes differently. It's a terrible idea. When you create dashboards, reports, extractions, etc in lower envs, porting to higher envs could be problematic. Use tags or lookups to differentiate your environments if you really need to. Speaking from experience.

Harinder_Singh
New Member

Are you saying have one index per application, e.g. - Bamboo, and distinguish between environments based on source type?

0 Karma

twinspop
Influencer

Distinguish by host would be most common. You should keep sourcetype definitions consistent across environments. Again, in my experience.

0 Karma

bjoernhansen
Path Finder

Am I getting this right?
You don't want to have three copies of your app, with the only difference being which index they should put their index into?

0 Karma

Harinder_Singh
New Member

That is correct. I would really prefer to not have to create 21 apps for all Atlassian applications. From what I have read so far, this would require putting together a bash script placed on the deployment server. So each time the app servers call home, it knows what index to populate.

Thoughts? Am I least going in the right direction?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I don't think so I heard about such script. Do you have the reference link where you've seen it?

So, data for all environments of your Atlassian apps go to same Splunk instance (and that's the reason you've three different indexes)?

0 Karma

Harinder_Singh
New Member

I don't think there's a specific link, it was just me putting 2 and 2 together.
Yes, data goes to a 2 node cluster indexers.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...