Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I leverage existing production data into our Dev environment?

damonmanni
Path Finder
‎06-26-2017 12:01 PM

Scenario:

  • We are doing a POC using Splunk ITSI tool. To achieve this, I built a new basic splunk Dev environment of which I will install ITSI.

  • But I would also like to integrate our Dev environment with existing PROD indexed data to feed ISTI (which is running on a Dev svr) while we test it out for glass views, etc.

  • I would like to know the fastest/easiest/least invasive procedure to seed my Dev environment w/ existing production data. I came up w/ these approaches and would like to know which is preferred and the process steps on how to achieve that option:

Option 1:

To Point my new Dev search-head(s) to our existing production indexer cluster, so when we issue a search via ITSI on our dev SH(s) it will route it to the existing production indexers and data, and retrieve results using that live prod data.

Option 2:

Instead, Export/Siphon off a small, specific set of Splunk Production data naming specific indexes, sources, and sourcetypes and import that into my Dev indexer(s)

Current Dev environment server details:

1 rhel 7.3 - running: Acting as a front-end HA proxy & Master & Deployment node & License Mgr
3 " - running: Splunk enterprise v6.5 searchead (not running search head cluster deployer yet)
2 " - running: "" indexer (running as a cluster w/in the dev env).

Current Prod Environment server details:

3 rhel 6.7 running : Splunk 6.4.1 indexers

My thought is if option #1 above is preferred, then I can just ignore the Dev indexers as they won't hold a purpose in this POC?

Also, should I setup search head clustering on the Dev environment and then point that to the production indexers? Or can I get away w/ just setting up one(1) standalone searchhead

Most importantly, could you help with the process steps on options?

Tags (1)
0 Karma
Reply

mserieys_splunk
Splunk Employee
Splunk Employee
‎02-15-2019 05:46 AM

Hi,
Perhaps another solution would be to migrate the configuration built in the dev environment and restore into production ? have a read on the Splunk suggested method.

https://docs.splunk.com/Documentation/ITSI/4.1.1/Configure/BackupandRestoreITSIconfig
,you can always backup your POC configuration and restore on production

https://docs.splunk.com/Documentation/ITSI/4.1.1/Configure/BackupandRestoreITSIconfig

0 Karma
Reply

maciep
Champion
‎07-01-2017 05:01 AM

I would lean toward option 1. If your dev env is locked down to just admins or you have appropriate roles defined on the dev search heads so users can't search what they shouldn't be allowed to search on your prod indexers, that seems like it should be ok.

And I would probably just run it on a standalone search head. We don't have ITSI, and I imagine supporting it in a cluster is a little more challenging than on a standalone (like Enterprise Security is), but typically a POC is more about what the app can do and less about how it needs to be supported. And if you have temporary license, you probably want to spend as much time in the app as possible...instead of troubleshooting a shc

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...