I am not sure exactly how to ask this question, so I will try to just dive right in.
Background:
I work for a company that has a lot of environments for different customers. The hosts in these environments are all feeding their logs Splunk via a forwarder installed on each host. We have started to utilize Splunk more and more over the last few months by setting up alerts and dashboards and such, which is putting more load on the Splunk infrastructure.
Issue:
I wanted to see if there was any set of guidelines for how you we should be using Splunk. Is there a right way and a wrong way to write a search, e.g. Are there methods that we should avoid using because they are inefficient and you can get the same results with a search that has been thought out more?
Getting down to brass tacks, it looks like more and more of our monitoring is going to be handled by Splunk and I don't want it to become this big bloated monster. I want to try and see if we can streamline what we are already doing before we add more checks (and more importantly reliance) onto the system.
I have been going through some of the posts that are already on here and some of the submissions on this page: http://wiki.splunk.com/Community:More_best_practices_and_processes, but I just thought it would be a good idea to do it here too.
Any help or insight would be greatly appreciated, even a link to another knowledge base would be great.
↧