But I would also like to integrate our Dev environment with existing PROD indexed data to feed ISTI (which is running on a Dev svr) while we test it out for glass views, etc.
I would like to know the fastest/easiest/least invasive procedure to seed my Dev environment w/ existing production data. I came up w/ these approaches and would like to know which is preferred and the process steps on how to achieve that option:
To Point my new Dev search-head(s) to our existing production indexer cluster, so when we issue a search via ITSI on our dev SH(s) it will route it to the existing production indexers and data, and retrieve results using that live prod data.
Instead, Export/Siphon off a small, specific set of Splunk Production data naming specific indexes, sources, and sourcetypes and import that into my Dev indexer(s)
1 rhel 7.3 - running: Acting as a front-end HA proxy & Master & Deployment node & License Mgr
3 " - running: Splunk enterprise v6.5 searchead (not running search head cluster deployer yet)
2 " - running: "" indexer (running as a cluster w/in the dev env).
3 rhel 6.7 running : Splunk 6.4.1 indexers
My thought is if option #1 above is preferred, then I can just ignore the Dev indexers as they won't hold a purpose in this POC?
Also, should I setup search head clustering on the Dev environment and then point that to the production indexers? Or can I get away w/ just setting up one(1) standalone searchhead
Most importantly, could you help with the process steps on options?
Hi,
Perhaps another solution would be to migrate the configuration built in the dev environment and restore into production ? have a read on the Splunk suggested method.
https://docs.splunk.com/Documentation/ITSI/4.1.1/Configure/BackupandRestoreITSIconfig
,you can always backup your POC configuration and restore on production
https://docs.splunk.com/Documentation/ITSI/4.1.1/Configure/BackupandRestoreITSIconfig
I would lean toward option 1. If your dev env is locked down to just admins or you have appropriate roles defined on the dev search heads so users can't search what they shouldn't be allowed to search on your prod indexers, that seems like it should be ok.
And I would probably just run it on a standalone search head. We don't have ITSI, and I imagine supporting it in a cluster is a little more challenging than on a standalone (like Enterprise Security is), but typically a POC is more about what the app can do and less about how it needs to be supported. And if you have temporary license, you probably want to spend as much time in the app as possible...instead of troubleshooting a shc