- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- What are the pros and cons between using apps vers...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings;
I am trying to understand if there are any differences between installing an app; especially those which want data in their own index/sourcetype, versus just sending all raw data into main.
What are the pros/cons for using apps? Do they have any impact on performance?
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you compare installing an app, to indexing everything in "main", it seems like you are overlooking some of the primary reasons for apps and indexes.
Apps provide a way to package and distribute configurations such as field extractions, views, lookups, custom commands, and other functionalities in an organized way. Some apps expect to find data in specific indexes by default and some don't. If you want to use a functionality like dbconnect, look at a good collection of dashboard examples, connect splunk to active directory or hundreds of other things outside of splunk's core functionality, doing so without the benefit of others' work through apps would be a daunting proposition.
Generally, separate indexes provide a way to apply different access and retention polices to different types of data, and can improve performance in various ways depending on how you search and how much data is getting written to your index(es).
In short, the questions of whether or not to make use of apps, and whether or not to put all of your data into your "main" index are separate and have different considerations.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you compare installing an app, to indexing everything in "main", it seems like you are overlooking some of the primary reasons for apps and indexes.
Apps provide a way to package and distribute configurations such as field extractions, views, lookups, custom commands, and other functionalities in an organized way. Some apps expect to find data in specific indexes by default and some don't. If you want to use a functionality like dbconnect, look at a good collection of dashboard examples, connect splunk to active directory or hundreds of other things outside of splunk's core functionality, doing so without the benefit of others' work through apps would be a daunting proposition.
Generally, separate indexes provide a way to apply different access and retention polices to different types of data, and can improve performance in various ways depending on how you search and how much data is getting written to your index(es).
In short, the questions of whether or not to make use of apps, and whether or not to put all of your data into your "main" index are separate and have different considerations.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Many apps have scheduled searches, their views and macros. So if you will install app, it will schedule searches(if app have) and if app have separate indexes and app will write data in those indexes.
Yes, there is a performance consideration, please check
http://docs.splunk.com/Documentation/Splunk/latest/Capacity/HowSplunkappsaffectSplunkEnterpriseperfo...
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
