Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use variables for index in inputs.conf to deploy one app to different indexes in several machines?

tomatorage
New Member
‎10-03-2014 06:44 AM

I'm trying to make a generic app to deploy (via the deployment server) where I can use a variable for the index in the inputs.conf file.
So I can deploy one app to several machines, but use a different index for each machine.

The preferred variable to use is a custom fact from puppet, but can also be the serverClass which you define in the serverclass.conf on the deployment server.

Any suggestions?

Thanks in advance.

0 Karma
Reply

jmantor
Path Finder
‎10-01-2018 10:31 AM

Can I do this with an envirnment variable?
I've had good luck defining SYSLOG_DIR in splunk-launch.conf and then referencing it in the path for a filemonitor.
This lets me have the name of the syslog node in the source and keeps my inputs.conf the same.
Can I do something similar to define an index in an inputs stanza?

0 Karma
Reply

jpvlsmv
Path Finder
‎03-25-2015 12:16 PM

Write your app to work with a search macro, and have Puppet put the correct value into $app/local/macros.conf

In macros.conf:
[index_for_this_env]
definition = index=%%puppet_replace_this%%

In your search, instead of index=foo eventtype=bar ..., you would have `index_for_this_env` eventtype=bar ... (backquotes around the macro name)

--Joe

0 Karma
Reply

tomatorage
New Member
‎10-03-2014 09:34 AM

I want to be able to have multiple environments with the same applications. You can use host to differentiate the environments and have all data indexed in one index. But I prefer to user more(and therefore smaller) indexes for performance. And be able to get rid of older data if an environment gets obsolete and needs to be cleaned.

for example
You can have environments A, B and C.
Apps 1 and 2 are on all environments and app 3 only on B and C.

Then I want to have the apps 1,2 and 3 on the deployment server and deploy them as mentioned above. With an automatic selection to use index A, B or C.

I hope this clarifies what I want.

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎10-13-2014 12:52 AM

The performance characteristic of indexes for queries is not index size, but rather index density relative to queries. Putting the data in multiple indexes is not likely to help unless you make the data over an order of magnitude more dense relative to the searches are going to run. Meanwhile, if you were to do that, you would want that slice of data to be present on all indexers. Slicing the data up by indexer simply means you won't be able to do any horizontal scaling.

0 Karma
Reply

tomatorage
New Member
‎10-13-2014 11:40 PM

Hi jrodman,
Thanks for your reply.
I'm using data replication on the indexes, so I think horizontal scalability should not be a problem.

I'm still curious to an answer to my initial question. Just because I think it should be possible 🙂

0 Karma
Reply

pradeepkumarg
Influencer
‎10-03-2014 07:56 AM

Is there a reason why you want to use different index for the same data in different hosts?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...