Deployment Architecture

Copy index

splunkuzleuven
Loves-to-Learn Lots

I'm looking for a clean way to copy an index or duplicate a data stream withouth having to index it twice.

We have a Splunk production environment, but are setting up a new environment. This one is more development based, but would use some of the data that is running in production.
Seeing we don't want to mix dev and prod, but don't want to index data twice, what would be the best way to make certain data or indexes available to both machines?

We tried a setup with forwarding from the prod machine, and with transform and props we managed to get the correct data to our dev machine, but then the prod machine stopped indexing all together...

Tags (1)
0 Karma

skalliger
SplunkTrust
SplunkTrust

First of all a question: Do you really need to copy your indexes to new indexers? If so, do you really think you need new indexers? You could just setup a new search head which points to your existing indexers and do your development from there.

Skalli

0 Karma

splunkuzleuven
Loves-to-Learn Lots

Lets say, not copy the index directly. Just copy the stream of data, but withouth it being indexed twice (don't want to waste volume).
How would I go about doing that withouth having to setup a new server if possible...

I'm open to all suggestions, as long as I'm not wasting license volume.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

If you want your prod data to be useful/available for dev, without indexing, you only need to setup a search head for dev and point to existing indexers.

Alternatively, on your laptop/dev machine, you can have splunk and eventgen app and config [ taking samples from prod] and do your development.

In both cases, you will need some compute and license/free, but an option.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...