Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Large Splunk Deployment Modifications: Use an index macro #5

Open
w3ttr3y opened this issue Jul 13, 2017 · 0 comments
Open

Large Splunk Deployment Modifications: Use an index macro #5

w3ttr3y opened this issue Jul 13, 2017 · 0 comments

Comments

@w3ttr3y
Copy link

w3ttr3y commented Jul 13, 2017

I would like to request a modification to use an index macro

Using an index macro is a standard, best practice for Splunk applications. Currently, when a dashboards loads you are searching every index that is searched by default.

That can have two issues:

  1. It searches entirely too much data in large deployments -- we bring in over 2TB/day of data besides mhn and your searches are searching all of it even though mhn data will be limited to one index
  2. It can miss the data. If the data the mhn data is coming into is not listed in the users indexes to search by default, the dashboards will not populate even if the user has access to the data

While you can't make everything automagically work out of the box for all deployments, by using an index macro, a Splunk administrator has one thing he/she needs to edit in order to make the dashboards work / apply a potentially large optimization
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@w3ttr3y