- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- What considerations should I make when rewriting m...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What considerations should I make when rewriting metadata for best efficiency?
I am in a situation where I need to rewrite metadata for each and every event. I need to rewrite index and sourcetype for starters. This is in a distributed environment with heavy forwarders in front of the indexers.
What considerations should I make?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, that's a conversation that really ought to be spoken over a lot of beer. You are basically asking "what are the considerations when (re)architecting an entire splunk ecology?" Without knowing more about your use case(s), I could wear down my fingers expounding on the internet without providing you the insights you most need.
Separating data by index and sourcetype -- segregating data with regard to how that data is going to be used -- is one key to efficiency of access, as long as you don't go too far. (Pretty much like normalization in relational databases. You normalize the overall design, then denormalize selectively to achieve maximum workability for your real-world applications.)
When considering what indexes to create, consider your users and their various roles, as well as the sensitivity of the particular classes of data involved. Consider frequency of access to each type of data, and consider granularity...whether the data will be generally needed at the detail level, or whether (and to what degree) aggregates in summary indexes would adequately meet most needs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The metadata overwrite operation (transforms) will happen on the Heavy forwarder, so make sure you've sufficient number of heavy forwarders (at least one per indexer you have) with decent h/w configurations. The reference h/w size will depend upon the data load you'll per indexer. This may help.
http://docs.splunk.com/Documentation/Splunk/6.5.2/Capacity/Performancechecklist
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you mean redesign or do you really mean that you are going to modify the data for buckets on the indexers after data has been indexed? I strongly advise against the latter.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
