Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I leverage existing production data into our Dev environment?

damonmanni
Path Finder
‎06-26-2017 12:01 PM

Scenario:

  • We are doing a POC using Splunk ITSI tool. To achieve this, I built a new basic splunk Dev environment of which I will install ITSI.

  • But I would also like to integrate our Dev environment with existing PROD indexed data to feed ISTI (which is running on a Dev svr) while we test it out for glass views, etc.

  • I would like to know the fastest/easiest/least invasive procedure to seed my Dev environment w/ existing production data. I came up w/ these approaches and would like to know which is preferred and the process steps on how to achieve that option:

Option 1:

To Point my new Dev search-head(s) to our existing production indexer cluster, so when we issue a search via ITSI on our dev SH(s) it will route it to the existing production indexers and data, and retrieve results using that live prod data.

Option 2:

Instead, Export/Siphon off a small, specific set of Splunk Production data naming specific indexes, sources, and sourcetypes and import that into my Dev indexer(s)

Current Dev environment server details:

1 rhel 7.3 - running: Acting as a front-end HA proxy & Master & Deployment node & License Mgr
3 " - running: Splunk enterprise v6.5 searchead (not running search head cluster deployer yet)
2 " - running: "" indexer (running as a cluster w/in the dev env).

Current Prod Environment server details:

3 rhel 6.7 running : Splunk 6.4.1 indexers

My thought is if option #1 above is preferred, then I can just ignore the Dev indexers as they won't hold a purpose in this POC?

Also, should I setup search head clustering on the Dev environment and then point that to the production indexers? Or can I get away w/ just setting up one(1) standalone searchhead

Most importantly, could you help with the process steps on options?

Tags (1)
0 Karma
Reply

mserieys_splunk
Splunk Employee
Splunk Employee
‎02-15-2019 05:46 AM

Hi,
Perhaps another solution would be to migrate the configuration built in the dev environment and restore into production ? have a read on the Splunk suggested method.

https://docs.splunk.com/Documentation/ITSI/4.1.1/Configure/BackupandRestoreITSIconfig
,you can always backup your POC configuration and restore on production

https://docs.splunk.com/Documentation/ITSI/4.1.1/Configure/BackupandRestoreITSIconfig

0 Karma
Reply

maciep
Champion
‎07-01-2017 05:01 AM

I would lean toward option 1. If your dev env is locked down to just admins or you have appropriate roles defined on the dev search heads so users can't search what they shouldn't be allowed to search on your prod indexers, that seems like it should be ok.

And I would probably just run it on a standalone search head. We don't have ITSI, and I imagine supporting it in a cluster is a little more challenging than on a standalone (like Enterprise Security is), but typically a POC is more about what the app can do and less about how it needs to be supported. And if you have temporary license, you probably want to spend as much time in the app as possible...instead of troubleshooting a shc

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...