Hi There,
I would like to know if it's not recommended to index the same logs to two different indexes?
We actually found a way to do it using a symlink :
https://answers.splunk.com/answers/61433/have-forwarder-duplicating-data-to-2-indexes.html
Besides the license usage since we will be indexing the same logs twice, is this a bad practice?
Thanks,
Aldwin
I think that it is a terrible idea. First, it is a double-license hit ($$). Second, it is a double-disk hit ($) with negligible added value. Usually when people are considering this it is because they are starting to think HA
and DR
. Splunk has tools for this in the multi-site
and clustering
configurations. That is the route that you should examine first (they are not perfectly flexible but can usually be made to work).
Thank you both for your answers.
Much appreciated!!!
I think that it is a terrible idea. First, it is a double-license hit ($$). Second, it is a double-disk hit ($) with negligible added value. Usually when people are considering this it is because they are starting to think HA
and DR
. Splunk has tools for this in the multi-site
and clustering
configurations. That is the route that you should examine first (they are not perfectly flexible but can usually be made to work).
I vote 'bad'. In addition to doubling your license usage, your searches will have duplicate results.
If you want to protect your data from an indexer failure, use index replication. It achieves the same result without affecting your license or search results. See http://docs.splunk.com/Documentation/Splunk/6.6.2/Capacity/ComponentsofaSplunkEnterprisedeployment#I....