Can I modify Data from Splunk using Splunk API?

misteryuku · ‎03-12-2012

Lets say if i do not search for the data using the splunk search then can i edit the data directly from the splunk server using the Splunk's REST api?

Ayn · ‎03-12-2012

Edit as in change data that is already in Splunk's index? No. Once data is indexed, there is no (easy) way of altering it.

misteryuku · ‎03-12-2012

Nothing i just want to know if there is such thing as updating the indexed data since i don't see any documentation on that on this Splunk website.

Ayn · ‎03-12-2012

Could you tell us a bit more about what you're trying to achieve?

Ayn · ‎03-12-2012

When you search in Splunk - regardless of which method you're using - you're getting your results from Splunk's index, yes.

misteryuku · ‎03-12-2012

Normally when log file data is sent to splunk, splunk indexes the file data right? When you search for the result using Splunk's REST API, the result normally returns indexed data right? Am i right in both statements i made?

Ayn · ‎03-12-2012

OK. In that case the answer is no.

misteryuku · ‎03-12-2012

Yes. That is what mean. Edit as in change data that is already in Splunk's index.

Can I modify Data from Splunk using Splunk API?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms