Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are some App Best Practices?

EricPartington
Communicator
‎08-31-2010 01:08 AM

<p>Looking for some feedback on best practices on how to seperate different sources by app for a splunk install.
there will be individual support teams interested in their technology as well as overall views of all technologies logged with splunk.</p>

<p>Is it best to have an app created for each technology (unix, windows, firewall, webservers) and limit/grant access based on apps?
Is keeping the inputs, props and transforms related to each technology best kept with each app?
How does this help or hinder distributing these apps(and configuration) across distributed search heads?</p>

<p>I will be taking the online course you provide, and that may provide some answers but thought i would ask for the collective wisdom of the 'Answers' people while i wait for my course to start.</p>

<p>thanks</p>

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-31-2010 02:03 AM

So, first, I have a partial answer here about how to subdivide an app: http://answers.splunk.com/questions/4559/best-practices-for-installing-and-configuring-apps-in-a-dis...

As for how to decide what to make into separate apps, I'd say there are two sets, and you need to have both kinds:

  • Data-oriented apps. These are what I had in mind when I wrote my above post. They basically cover configurations needed in the "Data acquistion" and "Data comprehension" (or "knowledge") phases of a Splunk deployment lifecycle, i.e., inputs.conf, props.conf, transforms.conf for the most part, but also most index-time knowledge and some other search-time "knowledge" that is event or sourcetype-specific

  • User-oriented apps. These are the elements like reports, alerts, dashboards, etc., that are built on top of the data, as well as search-time knowledge that is application-specific (as in "application" the generic term, not "app" the Splunk object).

The data-oriented apps, as I said are in the linked post. The latter kind are just split up according to user needs.

One problem right now is that it is sometimes hard to prevent "leakage" between apps, because "exporting" of app knowledge is either everywhere or nowhere (Global or App). But for the most part, it's okay to have the data-oriented apps export globally, and then govern access just to the user-oriented ones.

View solution in original post

Reply
Solved! Jump to solution

gmelnik
Engager
‎07-25-2015 09:56 PM

Additionally, [Splunk Developer Guide - Building Splunk Solutions]1 contains many good and proven app building practices discussed in the context of real-world apps.

alt text

Preview file
97 KB
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-31-2010 02:03 AM

So, first, I have a partial answer here about how to subdivide an app: http://answers.splunk.com/questions/4559/best-practices-for-installing-and-configuring-apps-in-a-dis...

As for how to decide what to make into separate apps, I'd say there are two sets, and you need to have both kinds:

  • Data-oriented apps. These are what I had in mind when I wrote my above post. They basically cover configurations needed in the "Data acquistion" and "Data comprehension" (or "knowledge") phases of a Splunk deployment lifecycle, i.e., inputs.conf, props.conf, transforms.conf for the most part, but also most index-time knowledge and some other search-time "knowledge" that is event or sourcetype-specific

  • User-oriented apps. These are the elements like reports, alerts, dashboards, etc., that are built on top of the data, as well as search-time knowledge that is application-specific (as in "application" the generic term, not "app" the Splunk object).

The data-oriented apps, as I said are in the linked post. The latter kind are just split up according to user needs.

One problem right now is that it is sometimes hard to prevent "leakage" between apps, because "exporting" of app knowledge is either everywhere or nowhere (Global or App). But for the most part, it's okay to have the data-oriented apps export globally, and then govern access just to the user-oriented ones.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...