Solved: What are the pros and cons between using apps vers...

nychawk · ‎01-30-2015

Greetings;

I am trying to understand if there are any differences between installing an app; especially those which want data in their own index/sourcetype, versus just sending all raw data into main.

What are the pros/cons for using apps? Do they have any impact on performance?

Thanks in advance.

chanfoli · ‎01-30-2015

When you compare installing an app, to indexing everything in "main", it seems like you are overlooking some of the primary reasons for apps and indexes.

Apps provide a way to package and distribute configurations such as field extractions, views, lookups, custom commands, and other functionalities in an organized way. Some apps expect to find data in specific indexes by default and some don't. If you want to use a functionality like dbconnect, look at a good collection of dashboard examples, connect splunk to active directory or hundreds of other things outside of splunk's core functionality, doing so without the benefit of others' work through apps would be a daunting proposition.

Generally, separate indexes provide a way to apply different access and retention polices to different types of data, and can improve performance in various ways depending on how you search and how much data is getting written to your index(es).

In short, the questions of whether or not to make use of apps, and whether or not to put all of your data into your "main" index are separate and have different considerations.

View solution in original post

chanfoli · ‎01-30-2015

When you compare installing an app, to indexing everything in "main", it seems like you are overlooking some of the primary reasons for apps and indexes.

Apps provide a way to package and distribute configurations such as field extractions, views, lookups, custom commands, and other functionalities in an organized way. Some apps expect to find data in specific indexes by default and some don't. If you want to use a functionality like dbconnect, look at a good collection of dashboard examples, connect splunk to active directory or hundreds of other things outside of splunk's core functionality, doing so without the benefit of others' work through apps would be a daunting proposition.

Generally, separate indexes provide a way to apply different access and retention polices to different types of data, and can improve performance in various ways depending on how you search and how much data is getting written to your index(es).

In short, the questions of whether or not to make use of apps, and whether or not to put all of your data into your "main" index are separate and have different considerations.

harshilmarvani1 · ‎01-30-2015

Hi,

Many apps have scheduled searches, their views and macros. So if you will install app, it will schedule searches(if app have) and if app have separate indexes and app will write data in those indexes.

Yes, there is a performance consideration, please check
http://docs.splunk.com/Documentation/Splunk/latest/Capacity/HowSplunkappsaffectSplunkEnterpriseperfo...

What are the pros and cons between using apps versus just sending all raw data to the main index?

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Are you a member of the Splunk Community?

What are the pros and cons between using apps versus just sending all raw data to the main index?

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!