Getting Data In

Splunk Development Environment (Best Practices)

balbano
Contributor

Hey Guys,

Trying to brainstorm on ways to create a development environment for my production splunk instance.

I'm not too fluent on transforming non-native log data and would first like to test my work out in a development instance of splunk. (using free license).

Just curious to see how you guys out there are doing it.

I just want to make sure the data is clean and presentable before getting applied to my production indexers.

Furthermore curious on how you guys out there are managing your LF between development and production.

Any feedback is always much appreciated.

Sorry if this sounds a little vague but the questions is pretty open ended and just looking for ideas.

Thanks.

Brian

Brian_Osburn
Builder

This may not be best practice, but this is what I do:

I have a Linux machine I use as my dev environment, but it shouldn't matter if it's windows or vmware, etc..

I set up my dev environment to use the same license master as my prod environment (I have plenty of room to grow and waste space if necessary).

I also set up my prod indexers as search peers to my dev indexer: that way if I'm developing a view or searches I can access the events in production without actually adding the views or searches to production yet.

If the logs aren't already being indexed by my production instance, I usually point it to an index on my dev box and play with the data before unleashing into my production environment.

You could even set up a seperate deployment server for your dev environment, or use yoru production one as well.

This is just a few things I do..I'm sure there's others out there who have more ideas..

slierninja
Communicator

Search Peers works great - just make sure you have an enterprise license (this won't work with free version)

0 Karma

lguinn2
Legend

I especially like the search peers idea - I hadn't thought of that!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...