Can you store data to Splunk without indexing?

Anmar0293 · ‎01-08-2019

I have data coming from MemSQL. Everything is fine with indexing, but I thought would it be possible to store data without indexing.
If so, how that could be done? Suggestions?

skoelpin · ‎01-08-2019

No, it's not.. Splunk's licensing model is based off index volume per day. If you could onboard data without indexing it, then it would upend Splunk's licensing model

afurrowgtri · ‎01-08-2019

You can use DBconnect (which I assume you're already using to index the data) to write your queries inline, then simply output to a lookup or KV store (read from that with inputlookup).

https://docs.splunk.com/Documentation/DBX/3.1.3/DeployDBX/Commands

| dbxquery query="SELECT list,of,desired,columns,here FROM tableName" connection="YourMemSQLConnectionName" maxrows=100
| outputlookup memSQLQuery.csv

Then

| inputlookup memSQLQuery.csv

Can you store data to Splunk without indexing?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation

Can you store data to Splunk without indexing?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...