Hi All -
We have a bunch of Splunk indexes in place. Our application is going to migrate to a new set of servers. And we need to make a decision whether to use same Splunk indexes for the data on new servers or create new indexes. We have to run the application on both old and new servers for a good amount of time.
We have 2 options -
1) Reuse the indexes and create a new sourcetype for data from new servers.
For example: `index=myindex sourcetype=application` /// This will have data from old servers
`index=myindex sourcetype=application-new` /// This will have data from new servers.. index name remains same
2) Create a new index altogether for data from new servers
For example: `index=myindex sourcetype=application` /// This will have data from old servers
`index=myindex-new sourcetype=application` /// This will have data from new servers.. index name remains same
Both will involve some amount of work related to saved searches, dashboards, etc. But what is the preferred way to do this? As I understand, creating new indexes is a little more work and difficult to maintain. But what is the better choice between two options.
Thanks,
Payal
↧