Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Development Environment (Best Practices)

balbano
Contributor
‎03-06-2012 10:53 AM

Hey Guys,

Trying to brainstorm on ways to create a development environment for my production splunk instance.

I'm not too fluent on transforming non-native log data and would first like to test my work out in a development instance of splunk. (using free license).

Just curious to see how you guys out there are doing it.

I just want to make sure the data is clean and presentable before getting applied to my production indexers.

Furthermore curious on how you guys out there are managing your LF between development and production.

Any feedback is always much appreciated.

Sorry if this sounds a little vague but the questions is pretty open ended and just looking for ideas.

Thanks.

Brian

Reply

Brian_Osburn
Builder
‎03-06-2012 12:08 PM

This may not be best practice, but this is what I do:

I have a Linux machine I use as my dev environment, but it shouldn't matter if it's windows or vmware, etc..

I set up my dev environment to use the same license master as my prod environment (I have plenty of room to grow and waste space if necessary).

I also set up my prod indexers as search peers to my dev indexer: that way if I'm developing a view or searches I can access the events in production without actually adding the views or searches to production yet.

If the logs aren't already being indexed by my production instance, I usually point it to an index on my dev box and play with the data before unleashing into my production environment.

You could even set up a seperate deployment server for your dev environment, or use yoru production one as well.

This is just a few things I do..I'm sure there's others out there who have more ideas..

Reply

slierninja
Communicator
‎11-30-2012 12:53 PM

Search Peers works great - just make sure you have an enterprise license (this won't work with free version)

0 Karma
Reply

lguinn2
Legend
‎03-06-2012 02:42 PM

I especially like the search peers idea - I hadn't thought of that!

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...