Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Cluster indexes.conf -> inputs.conf -> App -> serverClass confusion

jcorcoran508
Path Finder
‎09-11-2022 06:53 PM

I am creating an index - configured the inputs.conf file.

I have two prod servers with app logs that have the same Linux path 

Additionally, I have two test servers (Non-Prod) both had the same linux log paths , but different from the prod servers.

Besides hard coding the servers in the inputs.conf file how does the process determine what host to collect the log data from identical paths listed in the inputs.conf

some questions:

Can I use the same index with prod and non prod (best practice ?)

So the inputs.conf has the index=x under the log stanza name  , so that maps the inputs.conf file to collect the data and the data belongs to index=x.

In the deployment I create a serverClass with all 4 servers (prod and non prod)

and assign the server class to the App that has inputs.conf file. 

Should I be creating separate indexes (prod and non-prod) then create separate  Apps (prod and non-prod)  then create separate ServerClasses (prod and non prod) ?

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-11-2022 11:44 PM

Hi @jcorcoran508,

the choose to have the same or two different indexes for Production and not production, usually depends on two factors:

  • the data retention,
  • the access rights.

if the Non Prod data must be conserved for the same time of the Prod data and the people that have to access  are the same you can use the same index, otherwise you need to use different indexes, usually two different indexes are used!

Also because using one index you have to add to your searches the filter Prod/nonProd.

About inputs.conf, you have to create two apps to deploy using two different ServerClasses in the Deployment Server: each app contains an inputs.conf with the correct index to send data.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...