All Apps and Add-ons
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Transform log file or field at index time using sc...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Transform log file or field at index time using script/python instead of at search time?
rnauman
Explorer
12-09-2013
04:47 AM
I have a base64 field in my IIS log file. There are 3 very important properties within the base64 string that I want to extract at index time. It looks like everything available within splunk will be translated at search time and not added to the index.
What I don't want to have to do is manage a scheduled process (windows) on each server to run a transform script on the log, make sure it ran, process it intelligently to avoid re-processing already translated rows, having splunk monitor the translated log instead, etc. This was largely the purpose of Splunk.
I would even be ok if splunk orchestrated running the transform script if it couldn't directly do the decode at index time. E.g., splunk runs this script before indexing.
I am currently using a search app to do the decoding with python but doing nothing more than calling the following is a 13-15x performance hit. I want to be able to filter based off of these 3 decoded properties and that makes this approach unacceptable.
results = splunk.Intersplunk.getOrganizedResults()
for r in results
// do nothing
Any help or suggestions are appreciated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn
Legend
12-09-2013
05:54 AM
It sounds like a scripted input would meet your requirements? http://docs.splunk.com/Documentation/Splunk/6.0/Data/Setupcustominputs
Create a scripted input that runs on whatever interval you want, Splunk will ingest whatever output it has and will index the translated log data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
zsavushkin
Engager
05-13-2014
03:37 PM
Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tcador
New Member
02-11-2014
12:41 PM
Was there ever an answer to this? I'm in the same situation as this:
"Ideally I'd have all the scripting run on the single indexer from the variable number of forwarder-provided-data. Is that possible? E.g. forwarder sends raw log -> indexer -> decode log from forwarder(s) -> index"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rnauman
Explorer
12-09-2013
06:51 AM
I'm using universal forwarders on each of the target machines. This gets sent via TCP to the single indexer instance. I'm not sure if scripted inputs will run on light forwarders. Ideally I'd have all the scripting run on the single indexer from the variable number of forwarder-provided-data. Is that possible? E.g. forwarder sends raw log -> indexer -> decode log from forwarder(s) -> index
Get Updates on the Splunk Community!
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Splunk AppDynamics Agents Webinar Series
Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...
SplunkTrust Application Period is Officially OPEN!
It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open!
If you ...
