Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Trigger to create a new custom _raw before indexing data

Kozokkon
Engager
‎06-15-2018 04:46 AM

Good afternoon,
I want to ask if there is a way how to create own _raw data and to fire some kind of SPL query when some new event come to splunk ( the best would be if it is possible to make it before indexing ).

The whole idea is: When a new event comes, splunk will create a brand new event and save it in different index with little set of information from previous event + some extra info (for ex. actual timestamp).

I tried to make this work with alert, by "alerting" each new event to a new index. But the problem is that solution is extremely slow. I tried to upload 20k of new data at once and it took about hour to parse all of these.

Here is the pic of my idea:
alt text

That line between server and indexes is splunk server, the best would be if it gonna happen at pre or during indexing time, but if it happens after I wouldn't mind. 🙂

Tags (1)
Preview file
1 KB
0 Karma
Reply

deepashri_123
Motivator
‎06-18-2018 12:26 AM

Hey@Kozokkon,

You can try using summary indexing but this can be done after indexing data for the first time.
http://docs.splunk.com/Documentation/Splunk/7.1.1/Knowledge/Usesummaryindexing

Let me know if this helps!!

0 Karma
Reply

somesoni2
Revered Legend
‎06-15-2018 08:17 AM

When you say alerting, do you mean alert search with summary index option? If not, have you explored option of summary indexing for this?

0 Karma
Reply

Kozokkon
Engager
‎06-17-2018 11:54 PM

That was kinda a hack, i set alert per every new event and made a spl where I totally recreate my _raw output as I want and set it to save to another index.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-15-2018 06:19 AM

What problem are you trying to solve? Perhaps there is another way to accomplish your goal.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Kozokkon
Engager
‎06-17-2018 11:49 PM

In short: I'm receiving JSON so everything is parsed and saved as field. I need to anonymized some information and reduce some fields for search optimization.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2018 05:30 PM

Data should be anonymized before it is indexed. Writing the anonymized data to a different index means the original version is still available in another index.

Consider using a scripted or modular input to process the data as you wish before indexing.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Kozokkon
Engager
‎06-17-2018 11:52 PM

Mine idea was to parse already received information to another index with own redefined structure and variables and make searches on them.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...