Getting Data In

Multiple indexes/Custom app

Branden
Builder

I am writing an app for my team to use. Let's call the app xyz. The app will make use of various inputs, saved searches, etc...

I've already deployed a bunch of inputs/"apps" using the Deployment Server. For example, to search for fibre channel adapter errors, I created an app called "fc". It resides in /splunk/etc/apps/fc. There's a Weblogic app in /splunk/etc/apps/weblogic. Etc...

Keep in mind I'm only using one index (main).

I want the xyz app to make use of the data already indexed by those deployed apps; I don't want my xyz app re-indexing that data specifically. Please correct me if I'm wrong, there's nothing wrong with that approach, right?

However, as a best practice, should I consider indexing our "custom" data (fc, weblogc, etc...) into another index? My team is the only one using Splunk presently so protecting the data from others isn't an issue really.

Thank you very much.

Tags (2)
0 Karma
1 Solution

ftk
Motivator

I don't see anything wrong with that approach per se. If you are putting everything in the main index then your app will be able to access that data. If you do not want your new app to index the same data, just don't add any inputs to it.

In regards to index segmentation, the best practice really does depend on your environment and requirements. Separating indexes will provide you with the means of easily restricting people to certain data sets and specifying different retention periods per index. For example you may want to keep your web logs for five years, your top stats for three months, and your audit logs for one year online and then archive them to disk. Additionally, you can sign events or blocks of events in indexes in order to detect tampering.

By setting up different retention periods and cold to frozen actions you can more efficiently use your storage.

I recommend the About Managing Indexes chapter in the docs for further reading.

View solution in original post

ftk
Motivator

I don't see anything wrong with that approach per se. If you are putting everything in the main index then your app will be able to access that data. If you do not want your new app to index the same data, just don't add any inputs to it.

In regards to index segmentation, the best practice really does depend on your environment and requirements. Separating indexes will provide you with the means of easily restricting people to certain data sets and specifying different retention periods per index. For example you may want to keep your web logs for five years, your top stats for three months, and your audit logs for one year online and then archive them to disk. Additionally, you can sign events or blocks of events in indexes in order to detect tampering.

By setting up different retention periods and cold to frozen actions you can more efficiently use your storage.

I recommend the About Managing Indexes chapter in the docs for further reading.

Branden
Builder

Thank you very much!

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...