Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: Multiple splunk index for multiple event types #120

Open
arunava-basu opened this issue Nov 15, 2017 · 3 comments
Open

Feature request: Multiple splunk index for multiple event types #120

arunava-basu opened this issue Nov 15, 2017 · 3 comments
Labels
enhancement

Comments

@arunava-basu
Copy link

Hello Splunk Team,

Good evening.

We have recently used the “Splunk Nozzle for PCF” tile in one of our PCF environments.

In this current tile, we don’t have an option to use multiple splunk indexes for multiple event types.
For example, one index for ‘LogMessage’, one for ‘ValueMetric’ and so on and so forth.

Reason for this requirement:
If we see a huge amount of Application logs that are flowing towards Splunk, then we have to stop that single index which we have configured inside the PCF Ops Manager GUI.
We need to do this as we have some storage restrictions from Splunk’s end.
And after that, we won’t be able to see any other system/component logs inside Splunk GUI as there was only 1 index and we have already stopped that index.

Possible Solution:
If we can use multiple indexes for multiple event types instead of using one index for all the event types. Then we will have the flexibility to start/stop any particular nozzle/index.

We have sent exactly the same request to pivotal-cf-feedback@pivotal.io. And they have replied with the following.

I got word back that the Pivotal Ecosystem team brought up your issue with their peers at Splunk today. So the topic is officially part of the discussion. They recommended that you follow that up by filing an issue directly with Splunk so that it is tracked in the partner channel and in Splunk's official system as well.

Please let us know if you already have a solution on this requirement.

Regards,
Arunava Basu
@stinkingpig
Copy link
Collaborator

stinkingpig commented Nov 15, 2017
edited
Loading

https://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Propsconf
"Props.conf is commonly used for:
...

  • Overriding automated host and source type matching. You can use
    props.conf to:
    ...
  • Routing specific events to a particular index, when you have multiple
    indexes."

@luckyj5
Copy link
Collaborator

luckyj5 commented Nov 15, 2017

@arunava-basu You can also refer to Index routing section of the documentation -
https://github.com/cloudfoundry-community/splunk-firehose-nozzle#index-routing

@rkitzman
Copy link

rkitzman commented Mar 12, 2019
edited
Loading

This has been an open request for almost 18 months. How to we get something like this moved up the priority list?
This is basically the same as issue #8

@rkitzman rkitzman mentioned this issue Mar 12, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@stinkingpig @arunava-basu @luckyj5 @rkitzman @kashyap-splunk