Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the difference between putting configuration files under the Splunk Search app and other apps?

ankithreddy777
Contributor
‎01-17-2017 07:47 AM

May I know the difference between putting configuration files under search-app or any other newly created app/slave-apps in indexers? If we put config files (indexes.conf and props.conf) under search-apps, can we access the index data through other apps?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-17-2017 08:03 AM

Hi ankithreddy777,
access to indexes is related to users roles not to the App in which is inserted the indexes.conf file, so you could configure all conf files in search App, and use them in other Apps.
Every way I suggest to you to insert conf files in the related App for many reason:

  • at first your work order: it's important to clearly identify for every intervene on configurations working in only one App (I usually avoid also to use global objects!);
  • it's important if you need to copy an app in another system (so you can copy only one directory and not a directory + part of some files!);
  • it's useful to maintain Apps: when you create a field or an alias .. all these objects are usually related to sourcetype that usually in defined in props.conf, if you put sourcetype in the search App you have part of your props.conf file in an App (Search) and part of it in another one, and risk to be wrong;
  • maybe you could have only one indexes.conf file, but I don't like. I hope to have been clear. Bye. Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-17-2017 08:03 AM

Hi ankithreddy777,
access to indexes is related to users roles not to the App in which is inserted the indexes.conf file, so you could configure all conf files in search App, and use them in other Apps.
Every way I suggest to you to insert conf files in the related App for many reason:

  • at first your work order: it's important to clearly identify for every intervene on configurations working in only one App (I usually avoid also to use global objects!);
  • it's important if you need to copy an app in another system (so you can copy only one directory and not a directory + part of some files!);
  • it's useful to maintain Apps: when you create a field or an alias .. all these objects are usually related to sourcetype that usually in defined in props.conf, if you put sourcetype in the search App you have part of your props.conf file in an App (Search) and part of it in another one, and risk to be wrong;
  • maybe you could have only one indexes.conf file, but I don't like. I hope to have been clear. Bye. Giuseppe
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...