Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Best Practice for saved searches and own APPs / TA

tfechner
Path Finder
‎07-25-2018 06:42 AM

Hi there,

we have a SH-cluster and index-cluster (and Dextra deploy-server).
We defined some automatic lookup and searches on the SH-cluster. The permissions are set read to everyone so that event enrichment is done for all users. Works fine.
But if adding more there could be a mess.
So we a thinking on a company TA which defines all searches, lookups across all standard TA and apps: Doing a LDAP extraction is moved from the SA-ldapsearch-app to our app for example.

Is that a good scheme to work or should every "addon" or search to an app be close as possible in the original app?

Torsten

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎07-26-2018 05:55 AM

There's lots of ways to skin this cat and I hesitate to recommend a solution without knowing your exact circumstances and the tradeoffs you're willing to make.

From my own experience managing several thousand users you want to get out of the business of directly managing Knowledge Objects as soon as possible. A better way to do it is to create team/role based apps that do not export objects globally. That way users will not be interfering with each other.
But, if you have only a very small user base then what you're suggesting could be feasible.

However I would leave SAs and TAs alone where possible. Other apps (I'm looking at you ITSI) may be expecting them and the last thing you want to do is to create custom dependencies in your environment.

View solution in original post

Reply
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎07-26-2018 05:55 AM

There's lots of ways to skin this cat and I hesitate to recommend a solution without knowing your exact circumstances and the tradeoffs you're willing to make.

From my own experience managing several thousand users you want to get out of the business of directly managing Knowledge Objects as soon as possible. A better way to do it is to create team/role based apps that do not export objects globally. That way users will not be interfering with each other.
But, if you have only a very small user base then what you're suggesting could be feasible.

However I would leave SAs and TAs alone where possible. Other apps (I'm looking at you ITSI) may be expecting them and the last thing you want to do is to create custom dependencies in your environment.

Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎07-26-2018 06:08 AM

Agreed that it's not a clear cut solution. I'll reach out to you on the side.

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎07-26-2018 06:28 AM

A private SloshBurch experience? @tfechner you're in for a treat 🙂

0 Karma
Reply
Solved! Jump to solution

tfechner
Path Finder
‎07-26-2018 06:41 AM

thanks. I will try to create n app for all customs field extractions, scheduled searches and field actions.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...