Hello,
Can you please help me in understanding the best practices to design and implement the Splunk ecosystem in our organization
We have around 300 applications deployed onto Dev, Qa, Stage and Prod environments,
we have one Splunk Enterprise Licensed Stand Alone server and 10 applications's that aggregate logs to Splunk.
Current settings, and usage:
configured pool size max size of the index is 500GB
the daily limit of volume pool can consume: 11,264 MB
currently we are consuming 1-5MB
We want to have 2 Splunk systems to be created
1. for log aggregation for Dev, Qa, Stage
2. For Prod
We use Splunk for Log aggregation, Alerting, Reporting, and dashboards
So I have a few basic questions like:
what are the best practices for configuring this kind of environment considering we have 4 servers available?
1. Can License master, Deployment server, search head hosted on a single server and Indexer on another server? and use Universal forwarders redirect logs to Indexer?
2. Currently, all the logs /data is getting aggregated to Standalone Server, how can I move the dev data to Dev Splunk server once I have both Splunk Instances up and running?
3. Links/references to How to maintain Splunk Dashboards as Code in Git?
4. Links/references to Ansible Playbooks to install/Configure Splunk Universal Forwarders on the Clients.
Thanks in Advance.
... View more