Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Cluster indexes.conf -> inputs.conf -> App -> serverClass confusion

jcorcoran508
Path Finder
‎09-11-2022 06:53 PM

I am creating an index - configured the inputs.conf file.

I have two prod servers with app logs that have the same Linux path 

Additionally, I have two test servers (Non-Prod) both had the same linux log paths , but different from the prod servers.

Besides hard coding the servers in the inputs.conf file how does the process determine what host to collect the log data from identical paths listed in the inputs.conf

some questions:

Can I use the same index with prod and non prod (best practice ?)

So the inputs.conf has the index=x under the log stanza name  , so that maps the inputs.conf file to collect the data and the data belongs to index=x.

In the deployment I create a serverClass with all 4 servers (prod and non prod)

and assign the server class to the App that has inputs.conf file. 

Should I be creating separate indexes (prod and non-prod) then create separate  Apps (prod and non-prod)  then create separate ServerClasses (prod and non prod) ?

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-11-2022 11:44 PM

Hi @jcorcoran508,

the choose to have the same or two different indexes for Production and not production, usually depends on two factors:

  • the data retention,
  • the access rights.

if the Non Prod data must be conserved for the same time of the Prod data and the people that have to access  are the same you can use the same index, otherwise you need to use different indexes, usually two different indexes are used!

Also because using one index you have to add to your searches the filter Prod/nonProd.

About inputs.conf, you have to create two apps to deploy using two different ServerClasses in the Deployment Server: each app contains an inputs.conf with the correct index to send data.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...