Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Splunk Development Environment (Best Practices)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Development Environment (Best Practices)
Hey Guys,
Trying to brainstorm on ways to create a development environment for my production splunk instance.
I'm not too fluent on transforming non-native log data and would first like to test my work out in a development instance of splunk. (using free license).
Just curious to see how you guys out there are doing it.
I just want to make sure the data is clean and presentable before getting applied to my production indexers.
Furthermore curious on how you guys out there are managing your LF between development and production.
Any feedback is always much appreciated.
Sorry if this sounds a little vague but the questions is pretty open ended and just looking for ideas.
Thanks.
Brian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This may not be best practice, but this is what I do:
I have a Linux machine I use as my dev environment, but it shouldn't matter if it's windows or vmware, etc..
I set up my dev environment to use the same license master as my prod environment (I have plenty of room to grow and waste space if necessary).
I also set up my prod indexers as search peers to my dev indexer: that way if I'm developing a view or searches I can access the events in production without actually adding the views or searches to production yet.
If the logs aren't already being indexed by my production instance, I usually point it to an index on my dev box and play with the data before unleashing into my production environment.
You could even set up a seperate deployment server for your dev environment, or use yoru production one as well.
This is just a few things I do..I'm sure there's others out there who have more ideas..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search Peers works great - just make sure you have an enterprise license (this won't work with free version)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I especially like the search peers idea - I hadn't thought of that!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
