Refine your search:

Should a custom Splunk app use a separate index by default?

1

We're building a Splunk app and need to decide which index to use to store the events captured by our app's inputs. We'll let the use choose the index in our app's Setup configuration page (aka setup.xml), but we need to decide on a default.

Got a suggestion for whether our default should be "main" or should be a custom index for the app? If "it depends" then when would we want to choose one option over the other?

asked 12 May '10, 17:00

Justin%20Grant's gravatar image

Justin Grant
1.5k6739
accept rate: 50%

One Answer:
oldestnewestmost voted
2

I would generally recommend that data go to the system default (i.e., main) index by default. There is a significant environment-specific and system-level configuration for defining an index (disk space, volumes, retention policy, etc), and by specifying a new one, you would be significantly complicating the (correct) installation of your application. Separate identification of your data can be accomplished with distinct sourcetypes.

A separate index is important if you need to be able to move, delete, age, archive (etc) this data differently from the rest of the data in Splunk. You can and should think about doing this, but I would say that you should think about it separately from installation and configuration of the app. If necessary, it should be done before app installation. You can define these parameters for the index, and then tell your app inputs to use that index. But you should not force this by default.

link

answered 12 May '10, 17:57

gkanapathy's gravatar image

gkanapathy ♦
26.3k1622
accept rate: 42%

OK, thanks! Inside the app config, can we use the word "default" or should we use "main" as index name?

(12 May '10, 22:18) Justin Grant

you can use default

(31 May '10, 13:34) gkanapathy ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×311
×299
×207

Asked: 12 May '10, 17:00

Seen: 1,280 times

Last updated: 12 May '10, 17:57

Related questions

How do I set a default search index per app?

Specify Default Index for App

Using summary index by default in app?

Splunk Java SDK: How do you query a macro defined in a custom app instead of the default splunk search app?

How to Change the Default Index of *NIX App

Purifying the default-index: Any way to subtract another-index-associated-lump from the default index?

When I am in default search app and click on an index name the query executed has garbage whitespace embedded. How do I fix this?

define index for my app

How to assign index of an app to another.

Copyright © 2005-2012 Splunk, Inc. All rights reserved.