Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Multiple indexes/Custom app
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am writing an app for my team to use. Let's call the app xyz. The app will make use of various inputs, saved searches, etc...
I've already deployed a bunch of inputs/"apps" using the Deployment Server. For example, to search for fibre channel adapter errors, I created an app called "fc". It resides in /splunk/etc/apps/fc. There's a Weblogic app in /splunk/etc/apps/weblogic. Etc...
Keep in mind I'm only using one index (main).
I want the xyz app to make use of the data already indexed by those deployed apps; I don't want my xyz app re-indexing that data specifically. Please correct me if I'm wrong, there's nothing wrong with that approach, right?
However, as a best practice, should I consider indexing our "custom" data (fc, weblogc, etc...) into another index? My team is the only one using Splunk presently so protecting the data from others isn't an issue really.
Thank you very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't see anything wrong with that approach per se. If you are putting everything in the main index then your app will be able to access that data. If you do not want your new app to index the same data, just don't add any inputs to it.
In regards to index segmentation, the best practice really does depend on your environment and requirements. Separating indexes will provide you with the means of easily restricting people to certain data sets and specifying different retention periods per index. For example you may want to keep your web logs for five years, your top stats for three months, and your audit logs for one year online and then archive them to disk. Additionally, you can sign events or blocks of events in indexes in order to detect tampering.
By setting up different retention periods and cold to frozen actions you can more efficiently use your storage.
I recommend the About Managing Indexes chapter in the docs for further reading.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't see anything wrong with that approach per se. If you are putting everything in the main index then your app will be able to access that data. If you do not want your new app to index the same data, just don't add any inputs to it.
In regards to index segmentation, the best practice really does depend on your environment and requirements. Separating indexes will provide you with the means of easily restricting people to certain data sets and specifying different retention periods per index. For example you may want to keep your web logs for five years, your top stats for three months, and your audit logs for one year online and then archive them to disk. Additionally, you can sign events or blocks of events in indexes in order to detect tampering.
By setting up different retention periods and cold to frozen actions you can more efficiently use your storage.
I recommend the About Managing Indexes chapter in the docs for further reading.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
Announcing Modern Navigation: A New Era of Splunk User Experience
