topic Re: Index access from scripted or modular input in Splunk Dev

Index access from scripted or modular input

chrisdev — Thu, 18 Mar 2021 15:26:40 GMT

Is it possible to access the index from a scripted or modular input? And is the standard way of doing this via the SDK features as shown in examples such as search.py?

Re: Index access from scripted or modular input

richgalloway — Thu, 18 Mar 2021 16:49:09 GMT

Scripted and modular inputs are input-only. Technically, they don't access indexes at all, but produce output which Splunk then writes to an index.

What problem are you trying to solve?

Re: Index access from scripted or modular input

chrisdev — Thu, 18 Mar 2021 16:57:06 GMT

Thank you.

Weighing up my options for deduplication of events at index time. Doesn't seem like the correct approach if it's bad practice to access an index from a scripted/modular input.

I know that there's a dedup command at search time, however ideally I wouldn't have duplicate events in the index. The source of these events, which im not in control of, may produce duplicates.

Re: Index access from scripted or modular input

richgalloway — Thu, 18 Mar 2021 17:56:05 GMT

I suggest the modular input cache events internally rather than try to fetch them from an index. If a new event is in the cache then it's a duplicate and can be discarded; otherwise, index it and add it to the cache. Yes, the cache will limit your look-back for duplicates, but will perform vastly better than scanning an index for every incoming event. You'll still need to handle duplicates at search time, but there will be far fewer of them.