Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Best indexing practice when dealing with multiple partners

0xlc
Path Finder
‎01-17-2019 08:34 AM

Hi everyone,

i am new to splunk and i am setting it up in our staging and production envs, i would like to know how i could manage this situation

We have something like 30 partners each of them with a bunch of vms, each containing the partner name in the hostname. All of them pointing to the same indexers cluster.

What i would like to do is to search only for a specific partner and get back all results from all its VMs.

I can search:

host=*partnername*

but i am wondering if it's a better idea to create an index with the partner name and set it in each vm.

Or maybe i can create a specific field instead of an index?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎01-17-2019 08:44 AM

The purpose of creating a new index is for retention and security. If each partner has the ability to search the data and you don't want them to look at each others data OR if they have different retention requirements then yes, you should create separate indexes for each partner. If the conditions I laid out above are not true, then you can leave them in the same index

If you decide to go the ladder route, you should create an eventtype for each partner so its easy to search

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎01-17-2019 08:44 AM

The purpose of creating a new index is for retention and security. If each partner has the ability to search the data and you don't want them to look at each others data OR if they have different retention requirements then yes, you should create separate indexes for each partner. If the conditions I laid out above are not true, then you can leave them in the same index

If you decide to go the ladder route, you should create an eventtype for each partner so its easy to search

0 Karma
Reply
Solved! Jump to solution

0xlc
Path Finder
‎01-17-2019 08:50 AM

They don't have access to our logs.

It's internal just for us. And what i want to do it's just to make a partner's log easier to find.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-17-2019 09:39 AM

Great, then you should put it into a single index. You'll use more storage if you have separate indexes due to the additional tsidx files generated

You should create eventtypes for each partner or tag their host to make it easy to find. If this answered your question, can you please accept it to close it out?

0 Karma
Reply
Solved! Jump to solution

0xlc
Path Finder
‎01-17-2019 09:44 AM

yes perfect thanks!

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...