Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Post-install Configuration Guide needed #15

Closed
wants to merge 2 commits into from
Closed

Post-install Configuration Guide needed #15

wants to merge 2 commits into from

Conversation

anthonygtellez
Copy link

@anthonygtellez anthonygtellez commented Feb 4, 2016
edited by btorresgil

Pull Request comprises of two sample files with proposed methods for Data Model Optimization, Enforcing Role Based Access Controls for searches, Volume Retention, Utilizing a custom index for Wildfire Report storage.

  1. Data models are searching all non-internal indexes to locate pan logs. This can be optimized by specifying the index they have been stored in increasing the efficiently.

2/4. RBACs - Wildfire data is collected into index=main, however many customers do not realize this and may not want these reports searchable by all users who inherit that index by default. Secondly, the dashboards are relying on the role of the user to deny them from searching palo-alto data, but because index=main is specified in the savedsearches.conf all users will be able see this data in some of the dashboards.

  1. Many customers use volume sizing to set retention periods on how quickly to roll the data to frozen or retain for compliance reasons. Splunk PS regularly sets these configurations differently based on daily volume per source and hardware capacity. index=main is rarely used and may have a retention is set shorter than the palo-alto index used by the customer.

I have added comments to the configurations for review or further discussion. I have added them in the /local folder so they can be tested. The lines will need to be uncommented in both macros.conf.custom & savedsearches.conf.custom.

@btorresgil
Copy link
Member

Hi Anthony, thanks for the pull request. I like your approach using sample files that can be deployed when needed. Unfortunately Splunk no longer allows apps to have a 'local' directory, but that is easily changed. I'll make sure this gets integrated in the next release.

Thanks again!
-Brian

@btorresgil btorresgil self-assigned this Feb 4, 2016
@anthonygtellez
Copy link
Author

That's perfectly fine. I tossed them in local for testing and validation purposes. When shipping via splunkbase they should go into /default as best practice. I will be glad to see this added as an enhancement, thanks for the quick response!

@btorresgil
Copy link
Member

Lets handle this in a post-install configuration guide. This an other customizations are important for post-install, but might not apply to all customers. No changes to app or add-on, but make a documentation change.

@btorresgil
Copy link
Member

Working on a documentation overhaul that will resolve this issue. Stay tuned.

@btorresgil btorresgil changed the title Custom Indexes, RBACs & DM optimization Post-install Configuration Guide needed Oct 6, 2017
@darizotas
Copy link

darizotas commented Jan 24, 2018
edited

Hi @btorresgil , any update on this? I followed what @anthonygtellez recommended in his pull request and it works. Not sure if completely, as the app has evolved.

@btorresgil btorresgil closed this Feb 27, 2019
@btorresgil
Copy link
Member

Closing this PR, added new documentation site with new information on configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@btorresgil btorresgil

Labels
documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@anthonygtellez @btorresgil @darizotas