Splunk Search

Best Practice for saved searches and own APPs / TA

tfechner
Path Finder

Hi there,

we have a SH-cluster and index-cluster (and Dextra deploy-server).
We defined some automatic lookup and searches on the SH-cluster. The permissions are set read to everyone so that event enrichment is done for all users. Works fine.
But if adding more there could be a mess.
So we a thinking on a company TA which defines all searches, lookups across all standard TA and apps: Doing a LDAP extraction is moved from the SA-ldapsearch-app to our app for example.

Is that a good scheme to work or should every "addon" or search to an app be close as possible in the original app?

Torsten

0 Karma
1 Solution

jplumsdaine22
Influencer

There's lots of ways to skin this cat and I hesitate to recommend a solution without knowing your exact circumstances and the tradeoffs you're willing to make.

From my own experience managing several thousand users you want to get out of the business of directly managing Knowledge Objects as soon as possible. A better way to do it is to create team/role based apps that do not export objects globally. That way users will not be interfering with each other.
But, if you have only a very small user base then what you're suggesting could be feasible.

However I would leave SAs and TAs alone where possible. Other apps (I'm looking at you ITSI) may be expecting them and the last thing you want to do is to create custom dependencies in your environment.

View solution in original post

jplumsdaine22
Influencer

There's lots of ways to skin this cat and I hesitate to recommend a solution without knowing your exact circumstances and the tradeoffs you're willing to make.

From my own experience managing several thousand users you want to get out of the business of directly managing Knowledge Objects as soon as possible. A better way to do it is to create team/role based apps that do not export objects globally. That way users will not be interfering with each other.
But, if you have only a very small user base then what you're suggesting could be feasible.

However I would leave SAs and TAs alone where possible. Other apps (I'm looking at you ITSI) may be expecting them and the last thing you want to do is to create custom dependencies in your environment.

sloshburch
Splunk Employee
Splunk Employee

Agreed that it's not a clear cut solution. I'll reach out to you on the side.

0 Karma

jplumsdaine22
Influencer

A private SloshBurch experience? @tfechner you're in for a treat 🙂

0 Karma

tfechner
Path Finder

thanks. I will try to create n app for all customs field extractions, scheduled searches and field actions.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...