Many companies are using Splunk for daily operations. Many are on the path to doing so. When we start to have internally developed code used in production operations, we begin to have requirements to manage that code. I am asking that Splunk support those requirements.
At my company, I consider poorly defined code migration and production migration one of the biggest risks to using Splunk
- **Source Code Management**: Splunk should support an end user's ability to keep track of changes to queries and knowledge objects. This can be internally, or using a well known SCM tool. For some of us, tracking who alerted the way data is understood and what they changed it from/to is actually a requirement.
- **Production accounts**: Splunk should support a concept of production accounts designed to own and run knowledge objects and queries.
1. A production account separates limits on operational concurrent searches and disk quotas from those of the user. It is always a real shame when user activity prevents an operational search from running
2. A production account is insulated from changes in team membership: if the user who owns these items leaves the company/team, someone is on the hook to move all of the content and increased quotas to a new user.
3. Also just using one system account is insufficient for this purpose. Many companies have multiple areas doing work with different access requirements and potentially different priority for concurrent search and disk space.
- **Produciton deployment process**: In additon to implementing production accounts, Splunk should support a mechanism for moving queries and knowledge objects to that produciton account. For some of us, this may or should be a requirement so that we can answer questions like, "Would your alert have told you about event X on the date in question?"
I am aware that we could put system administrators in the position of doing all of the above. That is how most development environments start off. Mature environments build these features in.
This is just a summary of SCM and production migration needs off the top of my head. If other users see this, I am sure that they can add more details.
Also, if this is of interest, please upvote to let Splunk know that the functionality is desired!
↧