IT Operations Discussions
All the up-time. All the nines.

Multiple Instances of a TA/App

anapp
Engager

Scenario:

  • Team A ask for an app e.g. Splunk App for Jenkins, which is installed and all is well.
  • Now team B comes along wanting the same app. 
  • Teams A and B cannot have access to each others' data.

So, how would this be tackled?

This must be a fairly common scenario for other organisations, but cannot find any useful so would welcome any advice 🙂

The only way I can see is to customise the app in question with different indexes etcetera - but previous experience has taught be such things are never quite as easy to achieve as one might hope. 

Tags (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Assuming the app doesn't have support for multiple teams and sets of indexes then, yes, you'll need multiple instances of the app.

The easiest way to do that is with separate search heads - one for each team.  That's simpler with VMs, but still makes managing Splunk more complicated.  It's not as complicated as the alternative, though.

If you can't use separate SHs then you'll have to install multiple apps on the same SH.  It's a manual process.  The copy will need a different directory within $SPLUNK_HOME/etc/apps.  You'll also need to change the label in default/app.conf so the teams can tell which instance is theirs.  The biggest challenge is modifying the duplicate instance not only to use the other set of indexes, but to make sure any links to other app pages (drilldowns, etc.) refer to the right app instance.  Of course, you'll have to repeat this process when the app is updated.

---
If this reply helps you, an upvote would be appreciated.

anapp
Engager

Thanks for that, food for thought.

If I go down the team search head route - does that not still lead to confusion regarding any indexes created by the app?

0 Karma

soutamo
SplunkTrust
SplunkTrust
As you said that teams can’t access to another team data, you must (should) use separate indexes to them and manage acces with those.
Another way is to use search filters on roles, but this probably generates more issues than solves....
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!