Deployment Architecture

Trigger to create a new custom _raw before indexing data

Kozokkon
Engager

Good afternoon,
I want to ask if there is a way how to create own _raw data and to fire some kind of SPL query when some new event come to splunk ( the best would be if it is possible to make it before indexing ).

The whole idea is: When a new event comes, splunk will create a brand new event and save it in different index with little set of information from previous event + some extra info (for ex. actual timestamp).

I tried to make this work with alert, by "alerting" each new event to a new index. But the problem is that solution is extremely slow. I tried to upload 20k of new data at once and it took about hour to parse all of these.

Here is the pic of my idea:
alt text

That line between server and indexes is splunk server, the best would be if it gonna happen at pre or during indexing time, but if it happens after I wouldn't mind. 🙂

Tags (1)
0 Karma

deepashri_123
Motivator

Hey@Kozokkon,

You can try using summary indexing but this can be done after indexing data for the first time.
http://docs.splunk.com/Documentation/Splunk/7.1.1/Knowledge/Usesummaryindexing

Let me know if this helps!!

0 Karma

somesoni2
Revered Legend

When you say alerting, do you mean alert search with summary index option? If not, have you explored option of summary indexing for this?

0 Karma

Kozokkon
Engager

That was kinda a hack, i set alert per every new event and made a spl where I totally recreate my _raw output as I want and set it to save to another index.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What problem are you trying to solve? Perhaps there is another way to accomplish your goal.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Kozokkon
Engager

In short: I'm receiving JSON so everything is parsed and saved as field. I need to anonymized some information and reduce some fields for search optimization.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Data should be anonymized before it is indexed. Writing the anonymized data to a different index means the original version is still available in another index.

Consider using a scripted or modular input to process the data as you wish before indexing.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Kozokkon
Engager

Mine idea was to parse already received information to another index with own redefined structure and variables and make searches on them.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...