I have 2 application servers, running the same application. In Splunk, I would like to handle the logs separately. To do this I collect the data separate indexes. Splunk has a nice app for this application with a lot of dashboards and reports. I have two operators, but they have access just for one of the indexes. What I should do, if I would like that they can use the Splunk-app, but just for that index, where they have access?
If I set the app's search macro to index A, Index B is out. Adding a new search macro for index B means I need to add that all the existing searches-dashboards-reports.
How I can install the app 2 times with two different settings, pointing the different indexes?
you could create two roles, one for each operator.
Then enable the app (and all the knowledge objects) for both the roles and one index for each role.
In this way, both the operators con see the app, but only with the own index.
Obviously, you have to modify your app addressing both the indexes, the best way to do this is using eventtypes (e.g. index=indexA OR index=indexB).
in this way you have only one app and you can manage the differences at role level.
... in this case for me, who had access both indexes will see a "mixture" of all logs in the app, right? (that not be good at all...)
Could install the same app if I modify the app's folder's name and the app.conf in the tgz file before? Do I need to change anything else?
if you want to avoid mixture, you could add an input option in the dashboards (I did it for a customer!).
About the app, you'll have only one app, you intevene on the Splunk environment (roles).
Looks like there is no easy way:)
Actually I try my theory and rename the app before install. It is working except for the update...
in other words, you have two apps to maintain!
you could use the Deployment Server to deploy both the apps.
Anyway, I hint to modify you app as I said: it's longer but more clear!