Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Trigger to create a new custom _raw before indexing data

Kozokkon
Engager
‎06-15-2018 04:46 AM

Good afternoon,
I want to ask if there is a way how to create own _raw data and to fire some kind of SPL query when some new event come to splunk ( the best would be if it is possible to make it before indexing ).

The whole idea is: When a new event comes, splunk will create a brand new event and save it in different index with little set of information from previous event + some extra info (for ex. actual timestamp).

I tried to make this work with alert, by "alerting" each new event to a new index. But the problem is that solution is extremely slow. I tried to upload 20k of new data at once and it took about hour to parse all of these.

Here is the pic of my idea:
alt text

That line between server and indexes is splunk server, the best would be if it gonna happen at pre or during indexing time, but if it happens after I wouldn't mind. 🙂

Tags (1)
Preview file
24 KB
0 Karma
Reply

deepashri_123
Motivator
‎06-18-2018 12:26 AM

Hey@Kozokkon,

You can try using summary indexing but this can be done after indexing data for the first time.
http://docs.splunk.com/Documentation/Splunk/7.1.1/Knowledge/Usesummaryindexing

Let me know if this helps!!

0 Karma
Reply

somesoni2
Revered Legend
‎06-15-2018 08:17 AM

When you say alerting, do you mean alert search with summary index option? If not, have you explored option of summary indexing for this?

0 Karma
Reply

Kozokkon
Engager
‎06-17-2018 11:54 PM

That was kinda a hack, i set alert per every new event and made a spl where I totally recreate my _raw output as I want and set it to save to another index.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-15-2018 06:19 AM

What problem are you trying to solve? Perhaps there is another way to accomplish your goal.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Kozokkon
Engager
‎06-17-2018 11:49 PM

In short: I'm receiving JSON so everything is parsed and saved as field. I need to anonymized some information and reduce some fields for search optimization.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2018 05:30 PM

Data should be anonymized before it is indexed. Writing the anonymized data to a different index means the original version is still available in another index.

Consider using a scripted or modular input to process the data as you wish before indexing.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Kozokkon
Engager
‎06-17-2018 11:52 PM

Mine idea was to parse already received information to another index with own redefined structure and variables and make searches on them.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...