All Apps and Add-ons

Does the Splunk for XenApp app need three different Indexes?

mohankesireddy
Path Finder

Hi Every one, I am doing a POC with the xenapp in out environment. I am able to install and get all the charts tables populate with data. But it uses three different Indexes, my question is does it really need three different indexes, is there any specific reason why it uses three different indexes. any help is greatly appreciated.

0 Karma
1 Solution

rturk
Builder

Hi Mohankesireddy,

Looking at the XenApp app I have here, I have the following indexes:

  • xenapp
  • xenapp_alerts
  • xenapp_perfmon
  • xenapp_winevents

The following reasons apply to not only the XenApp app, but pretty much any other complex app you care to think of...

Different security requirements for data - An index is the lowest logical unit that security may be effectively applied to. For example, you want your Ops team to see the alerts data, but not the perfmon data (not a realistic example, but I hope you understand my meaning).

Different retention rates - You may want to keep your alert data, and winevents data for 30 days, but only care about your perfmon data for 7 days. Separate indexes allow you this flexibility (and is crucial for compliance purposes)

Different storage requirements - What is another team needed to use some data in a mission critical manner (e.g. alerting) so needs to ensure that their searches run as quickly as possible. With separate indexes you can specify separate (quicker) storage tiers making this possible. Alternatively, you might need to backup some security related data for long periods (e.g. 7 years) to you can move that indexes data to cheaper storage.

Effective compression - Grouping similar data together helps with compression rates.

Summary Indexing - The creation of an additional index for the purposed of summarisation greatly increases the performance of apps, dashboards, and searches.

There are a bunch of other reasons (incl. performance), but I believe these alone justify why it's a good idea to use multiple indexes... all of which would have been relevant to the developer as they created the XenApp app.

Hope this helps 🙂

View solution in original post

mohankesireddy
Path Finder

Hi Turk,

No there is not specific reason, Just wanted to understand why they need three different indexes.

0 Karma

rturk
Builder

Hi there - Is there any reason why you think this would be a problem?

0 Karma

rturk
Builder

Hi Mohankesireddy,

Looking at the XenApp app I have here, I have the following indexes:

  • xenapp
  • xenapp_alerts
  • xenapp_perfmon
  • xenapp_winevents

The following reasons apply to not only the XenApp app, but pretty much any other complex app you care to think of...

Different security requirements for data - An index is the lowest logical unit that security may be effectively applied to. For example, you want your Ops team to see the alerts data, but not the perfmon data (not a realistic example, but I hope you understand my meaning).

Different retention rates - You may want to keep your alert data, and winevents data for 30 days, but only care about your perfmon data for 7 days. Separate indexes allow you this flexibility (and is crucial for compliance purposes)

Different storage requirements - What is another team needed to use some data in a mission critical manner (e.g. alerting) so needs to ensure that their searches run as quickly as possible. With separate indexes you can specify separate (quicker) storage tiers making this possible. Alternatively, you might need to backup some security related data for long periods (e.g. 7 years) to you can move that indexes data to cheaper storage.

Effective compression - Grouping similar data together helps with compression rates.

Summary Indexing - The creation of an additional index for the purposed of summarisation greatly increases the performance of apps, dashboards, and searches.

There are a bunch of other reasons (incl. performance), but I believe these alone justify why it's a good idea to use multiple indexes... all of which would have been relevant to the developer as they created the XenApp app.

Hope this helps 🙂

mohankesireddy
Path Finder

Thanks Turk. this helps.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...