Hi Awesome People,
We are making a Splunk App for one of our products and the goal is to display the stats collected from that product's usage to the customer using that in the form of pretty dashboards. We have exposed all of those stats as REST APIs which can be used from anywhere with an API key authentication. So far so good.
Now here's a decision I cannot make and need your help in deciding. Which is the preferred method of achieving the above?
1- Use a modular input to poll our APIs and index the results in Splunk and then simply make use of Splunk's query language to get the stats from the indexed data.
2- Create custom search commands that communicate to our REST APIs and then use these custom commands in dashboards to render the data.
I don't have much experience with using Splunk so I don't know which one of the above options is less complex in terms of time, memory, storage. So, please guide me on which method should I better use?
Thanking you all for reading my query and helping me out in any way.
I recommend indexing the data. Once the data is indexed it can be used for dashboards, but it can also be used for other purposes. It also gives you a historical record of the data.
Custom commands put additional load on your API servers each time the dashboard is opened or refreshed. By indexing the data you avoid this extra server load.
Another way to avoid ad-hoc load would be to run the custom search commands as a scheduled report and access the report on the dashboard instead of the search itself.
That works if all you care about is the latest result. If you want historical data, or would have a need to track the API reliability, then ingesting is the way to go.
Hi @richgalloway and @anthonymelita,
Thanks for your responses. I do see the value in indexing data as well as the scheduled reports method but here is my concern: The stats from our APIs are given based on a few parameters provided by the user (e.g. timerange, usertype etc). Now, since we don't have any knowledge of what the user might input, we cannot make the REST API call without knowing his/her input first. Wouldn't the whole idea of indexing or scheduled reports, fail here? Let me know your thoughts on this.
Create a modular input that indexes API data continuously for all user types. Then any user query can be satisfied from the index.