Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Prevent Splunk from re-indexing data

efelder0
Communicator
‎01-12-2012 07:08 AM

Here is the scenario:

During any given day (usually @ midnite), I am 'auto' indexing 3-5 files into Splunk and then running a search query, then producing some sort of output/report using "outputcsv".

However, at any given point during the day, there will be new files being auto-indexed into Splunk. Right now, Splunk is grabbing the current files and including the events from the older files in the search results.

Is there a way to configure Splunk (or use an app) to generate N number of reports as each unique file gets indexed. In other words, if I index 5 XML files from Symantec, index them into Splunk, and create 5 separate .csv files which each contain unique information without duplicating the event information from a previously indexed file?

Tags (2)
Reply

Rob
Splunk Employee
Splunk Employee
‎01-18-2012 10:40 AM

This can be done using a scheduled search in conjunction with altering your search to use the index time rather than the indexed event time to create the CSV file you are looking.

So you will want to use something like...

sourcetype="Symantec" | eval myTime=now()-60 | where _indextime>myTime | outputcsv myFile.csv

To break down the important pieces of this search, the | eval myTime=now()-60 portion uses eval to create a field which contains the epoch time stamp value of when the search is run and subtracts 60 seconds from that value. We then use the | where _indextime>myTime statement to get all the events from the last minute by comparing an events index time against the myTime value. If you run your scheduled search for every minute then the search will only contain events logged within the last minute. This should prevent most cases of duplication for the events that are put in to your CSV file.

Depending on how often you run the scheduled search, you will want to change the myTime value to correspond to the time frame of your scheduled search. In doing so, remember that all the values are in epoch time using seconds.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...