https://community.splunk.com/t5/Deployment-Architecture/Trigger-to-create-a-new-custom-raw-before-indexing-data/m-p/393883#M20726 <P>Hey@Kozokkon,</P> <P>You can try using summary indexing but this can be done after indexing data for the first time.<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/7.1.1/Knowledge/Usesummaryindexing">http://docs.splunk.com/Documentation/Splunk/7.1.1/Knowledge/Usesummaryindexing</A></P> <P>Let me know if this helps!!</P> Mon, 18 Jun 2018 07:26:48 GMT deepashri_123 2018-06-18T07:26:48Z https://community.splunk.com/t5/Deployment-Architecture/Trigger-to-create-a-new-custom-raw-before-indexing-data/m-p/393877#M20720 <P>Good afternoon,<BR /> I want to ask if there is a way how to create own _raw data and to fire some kind of SPL query when some new event come to splunk ( the best would be if it is possible to make it before indexing ).</P> <P>The whole idea is: When a new event comes, splunk will create a brand new event and save it in different index with little set of information from previous event + some extra info (for ex. actual timestamp).</P> <P>I tried to make this work with alert, by "alerting" each new event to a new index. But the problem is that solution is extremely slow. I tried to upload 20k of new data at once and it took about hour to parse all of these.</P> <P>Here is the pic of my idea:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5227i045801A8412F19AA/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>That line between server and indexes is splunk server, the best would be if it gonna happen at pre or during indexing time, but if it happens after I wouldn't mind. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 15 Jun 2018 11:46:59 GMT https://community.splunk.com/t5/Deployment-Architecture/Trigger-to-create-a-new-custom-raw-before-indexing-data/m-p/393877#M20720 Kozokkon 2018-06-15T11:46:59Z https://community.splunk.com/t5/Deployment-Architecture/Trigger-to-create-a-new-custom-raw-before-indexing-data/m-p/393878#M20721 <P>What problem are you trying to solve? Perhaps there is another way to accomplish your goal.</P> Fri, 15 Jun 2018 13:19:42 GMT https://community.splunk.com/t5/Deployment-Architecture/Trigger-to-create-a-new-custom-raw-before-indexing-data/m-p/393878#M20721 richgalloway 2018-06-15T13:19:42Z https://community.splunk.com/t5/Deployment-Architecture/Trigger-to-create-a-new-custom-raw-before-indexing-data/m-p/393879#M20722 <P>When you say alerting, do you mean alert search with summary index option? If not, have you explored option of summary indexing for this?</P> Fri, 15 Jun 2018 15:17:32 GMT https://community.splunk.com/t5/Deployment-Architecture/Trigger-to-create-a-new-custom-raw-before-indexing-data/m-p/393879#M20722 somesoni2 2018-06-15T15:17:32Z https://community.splunk.com/t5/Deployment-Architecture/Trigger-to-create-a-new-custom-raw-before-indexing-data/m-p/393880#M20723 <P>In short: I'm receiving JSON so everything is parsed and saved as field. I need to anonymized some information and reduce some fields for search optimization. </P> Mon, 18 Jun 2018 06:49:17 GMT https://community.splunk.com/t5/Deployment-Architecture/Trigger-to-create-a-new-custom-raw-before-indexing-data/m-p/393880#M20723 Kozokkon 2018-06-18T06:49:17Z https://community.splunk.com/t5/Deployment-Architecture/Trigger-to-create-a-new-custom-raw-before-indexing-data/m-p/393881#M20724 <P>Mine idea was to parse already received information to another index with own redefined structure and variables and make searches on them. </P> Mon, 18 Jun 2018 06:52:19 GMT https://community.splunk.com/t5/Deployment-Architecture/Trigger-to-create-a-new-custom-raw-before-indexing-data/m-p/393881#M20724 Kozokkon 2018-06-18T06:52:19Z https://community.splunk.com/t5/Deployment-Architecture/Trigger-to-create-a-new-custom-raw-before-indexing-data/m-p/393882#M20725 <P>That was kinda a hack, i set alert per every new event and made a spl where I totally recreate my _raw output as I want and set it to save to another index.</P> Mon, 18 Jun 2018 06:54:32 GMT https://community.splunk.com/t5/Deployment-Architecture/Trigger-to-create-a-new-custom-raw-before-indexing-data/m-p/393882#M20725 Kozokkon 2018-06-18T06:54:32Z https://community.splunk.com/t5/Deployment-Architecture/Trigger-to-create-a-new-custom-raw-before-indexing-data/m-p/393883#M20726 <P>Hey@Kozokkon,</P> <P>You can try using summary indexing but this can be done after indexing data for the first time.<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/7.1.1/Knowledge/Usesummaryindexing">http://docs.splunk.com/Documentation/Splunk/7.1.1/Knowledge/Usesummaryindexing</A></P> <P>Let me know if this helps!!</P> Mon, 18 Jun 2018 07:26:48 GMT https://community.splunk.com/t5/Deployment-Architecture/Trigger-to-create-a-new-custom-raw-before-indexing-data/m-p/393883#M20726 deepashri_123 2018-06-18T07:26:48Z https://community.splunk.com/t5/Deployment-Architecture/Trigger-to-create-a-new-custom-raw-before-indexing-data/m-p/393884#M20727 <P>Data should be anonymized before it is indexed. Writing the anonymized data to a different index means the original version is still available in another index.</P> <P>Consider using a scripted or modular input to process the data as you wish before indexing.</P> Tue, 19 Jun 2018 00:30:00 GMT https://community.splunk.com/t5/Deployment-Architecture/Trigger-to-create-a-new-custom-raw-before-indexing-data/m-p/393884#M20727 richgalloway 2018-06-19T00:30:00Z