Splunk Search

Modifying Splunk query to include multiple host from Production and DR app servers without duplicating data

kapiljagdishwal
New Member

I have a dashboard prepared in Splunk Enterprise for Production where input data is coming from one of my application servers.
I have a DR site for that application server. Now I want my same Splunk dashboard to show me either Production or DR input data based on drop down list at the top of dashboard. How do I carry out this without duplicating data coming from both the hosts i.e PROD and DR. ( Both PROD and DR consists of multiple hosts with 6 servers on both side)
Can tags be used here and if yes, how ?

0 Karma

kapiljagdishwal
New Member

Yes. I want data from both the sources in the same dashboard and depending on dropdown list at the top of dashboard, when I select PROD, dashboard should update with prod results whereas when I select DR, dashboard should update with DR results.
The thing is we want to have same Splunk dashboard to be used for Disaster Recovery environment without having to make significant changes when we switch from Production to DR.

0 Karma

Sukisen1981
Champion

might be time to add 2 drop down input fields. One a static input with prod or dr as options and another based on the first selection and depending on whether user selects prod or dr , which opens up the list of hosts/servers.
Basically. you need to have some distinction between prod and dr . You have a total of 12 servers on both sides, and if you plan to include this in the dropdown AND the user knows which server she/he is looking for you can get by with one dropdown input. If there are common fields which you intend to be in the dropdwon you got to have another input box for the user to select prod or dr and then populate the second one based on the first dropdwon selection.
Hope I have not confused you 🙂

0 Karma

kapiljagdishwal
New Member

Can I not have something like this ?
User selects PROD or DR from dropdown list and these values for PROD and DR are basically tags which comprises a list of hostnames for PROD and DR servers such as :
PROD tag will be host = p1 or host = p2 or host =p3 or host = 4
DR tag will be host = d1 or host =d2 or host = d3 or host = d4

And depending on selection from drop down list, the tag will comprise of hostname for prod or dr and accordingly my search query in the dashboard will be populated with input from selection ( prod or dr hosts in this case)

0 Karma

Sukisen1981
Champion

it really deoends upon your use case, yes you can tag prod or dr hosts to 2 tags respectively, but then if you do something like, index="xyz" tag::action="prod" , assuming you have tagged p1,p2 and p3 with a tag named prod.
It will then return ALL events wherein this tag is present, meaning all events with hosts p1, p2 or p3 ..you can then further apply a pipe and do the rest of the stuff(capture the events that are really needed) from amongst all those that are tagged with the prod tag...this should work.
So the token from the first dropdown is what will be set in the subsequent searches something like index="xyz" tag::action="$field1$". Here you give the user the option to choose prod or dr and then this gets passed in the $ tokens, you will already have defined what all events "prod" or "dr" tags are linked to

0 Karma

Sukisen1981
Champion

this is confusing me - you want data from both prod and dr to be captured in the same dashboard, right?
Then you would need data from both sources, are you saying that you are getting duplicate data from prod or dr or both specific to THAT particular index?

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...