Scenario:
So, how would this be tackled?
This must be a fairly common scenario for other organisations, but cannot find any useful so would welcome any advice 🙂
The only way I can see is to customise the app in question with different indexes etcetera - but previous experience has taught be such things are never quite as easy to achieve as one might hope.
Assuming the app doesn't have support for multiple teams and sets of indexes then, yes, you'll need multiple instances of the app.
The easiest way to do that is with separate search heads - one for each team. That's simpler with VMs, but still makes managing Splunk more complicated. It's not as complicated as the alternative, though.
If you can't use separate SHs then you'll have to install multiple apps on the same SH. It's a manual process. The copy will need a different directory within $SPLUNK_HOME/etc/apps. You'll also need to change the label in default/app.conf so the teams can tell which instance is theirs. The biggest challenge is modifying the duplicate instance not only to use the other set of indexes, but to make sure any links to other app pages (drilldowns, etc.) refer to the right app instance. Of course, you'll have to repeat this process when the app is updated.
Thanks for that, food for thought.
If I go down the team search head route - does that not still lead to confusion regarding any indexes created by the app?