Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Cluster indexes.conf -> inputs.conf -> App -> serverClass confusion

jcorcoran508
Path Finder
‎09-11-2022 06:53 PM

I am creating an index - configured the inputs.conf file.

I have two prod servers with app logs that have the same Linux path 

Additionally, I have two test servers (Non-Prod) both had the same linux log paths , but different from the prod servers.

Besides hard coding the servers in the inputs.conf file how does the process determine what host to collect the log data from identical paths listed in the inputs.conf

some questions:

Can I use the same index with prod and non prod (best practice ?)

So the inputs.conf has the index=x under the log stanza name  , so that maps the inputs.conf file to collect the data and the data belongs to index=x.

In the deployment I create a serverClass with all 4 servers (prod and non prod)

and assign the server class to the App that has inputs.conf file. 

Should I be creating separate indexes (prod and non-prod) then create separate  Apps (prod and non-prod)  then create separate ServerClasses (prod and non prod) ?

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-11-2022 11:44 PM

Hi @jcorcoran508,

the choose to have the same or two different indexes for Production and not production, usually depends on two factors:

  • the data retention,
  • the access rights.

if the Non Prod data must be conserved for the same time of the Prod data and the people that have to access  are the same you can use the same index, otherwise you need to use different indexes, usually two different indexes are used!

Also because using one index you have to add to your searches the filter Prod/nonProd.

About inputs.conf, you have to create two apps to deploy using two different ServerClasses in the Deployment Server: each app contains an inputs.conf with the correct index to send data.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...