Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Best indexing practice when dealing with multiple partners

0xlc
Path Finder
‎01-17-2019 08:34 AM

Hi everyone,

i am new to splunk and i am setting it up in our staging and production envs, i would like to know how i could manage this situation

We have something like 30 partners each of them with a bunch of vms, each containing the partner name in the hostname. All of them pointing to the same indexers cluster.

What i would like to do is to search only for a specific partner and get back all results from all its VMs.

I can search:

host=*partnername*

but i am wondering if it's a better idea to create an index with the partner name and set it in each vm.

Or maybe i can create a specific field instead of an index?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎01-17-2019 08:44 AM

The purpose of creating a new index is for retention and security. If each partner has the ability to search the data and you don't want them to look at each others data OR if they have different retention requirements then yes, you should create separate indexes for each partner. If the conditions I laid out above are not true, then you can leave them in the same index

If you decide to go the ladder route, you should create an eventtype for each partner so its easy to search

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎01-17-2019 08:44 AM

The purpose of creating a new index is for retention and security. If each partner has the ability to search the data and you don't want them to look at each others data OR if they have different retention requirements then yes, you should create separate indexes for each partner. If the conditions I laid out above are not true, then you can leave them in the same index

If you decide to go the ladder route, you should create an eventtype for each partner so its easy to search

0 Karma
Reply
Solved! Jump to solution

0xlc
Path Finder
‎01-17-2019 08:50 AM

They don't have access to our logs.

It's internal just for us. And what i want to do it's just to make a partner's log easier to find.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-17-2019 09:39 AM

Great, then you should put it into a single index. You'll use more storage if you have separate indexes due to the additional tsidx files generated

You should create eventtypes for each partner or tag their host to make it easy to find. If this answered your question, can you please accept it to close it out?

0 Karma
Reply
Solved! Jump to solution

0xlc
Path Finder
‎01-17-2019 09:44 AM

yes perfect thanks!

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...