All,
We use a Splunk staging environment to test system upgrades and fine-tune props and transforms before deploying new indexing configuration into production. That's brought the temptation of letting non-production Universal Forwarders, syslog, etc. continue to send data to staging (and not to production) after testing is complete. On one hand, it's great to have data coming in continuously for testing, but on the other hand, end users understandably want to search their non-prod data which means that we're managing those indexes, permissions, apps, and need to be careful about interrupting service in staging. Nothing technically wrong, but something about it doesn't feel right; the same question about when to use staging is coming up with Deployment Server, too.
I'm curious what others do with non-production Splunk environments and/or non-production data that needs to go into Splunk. Any particular approaches that seem to work well (or not) when building a centralized Splunk service shared by many app teams? Thanks for your thoughts!
↧