Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to duplicate data to another index without res...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to duplicate data to another index without resending back to tcpout?
Lucas_K
Motivator
05-10-2016
05:25 PM
I have a situation where I'd like to duplicate some or all events going to one index into another.
The only point at which I can touch the data is as it hits the indexers. I can't use another heavy forwarder to do the duplication in flight.
In reading the docs, I've come up with this, but I think I'm missing something fundamental.
At a basic level below is sort of what I want:
props.conf
[mydupesourcetype]
TRANSFORMS-duplicate = original_index, duplicate_index
transforms.conf
[original_index]
FORMAT = indexa
REGEX = (.)
DEST_KEY = _MetaData:Index
[duplicate_index]
REGEX = mydupesourcetype
FORMAT = indexb
SOURCE_KEY = MetaData:Sourcetype
DEST_KEY = _MetaData:Index
http://docs.splunk.com/Documentation/Splunk/6.4.0/Forwarding/Routeandfilterdatad
This would mean the props and transforms above would never work as it would just rename the index in the duplicate_index stanza.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-10-2016
07:16 PM
You can use collect to copy existing data to another index or you can use CLONE_SOURCETYPE to clone new data as it comes in (but it has to be cloned to a different sourcetype).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lucas_K
Motivator
05-19-2016
07:07 PM
Clone_sourcetype. Hmm haven't seen that one before will have to investigate the one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
05-10-2016
06:25 PM
Hi Lucas K,
a quick thought here, how about using a collect search to duplicate some events into the new index or if you want to duplicate all events into the new index copy the buckets?
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lucas_K
Motivator
05-19-2016
07:06 PM
Thanks! Unfortunately it doesn't get me the "like for like" proof I'm after it will also be a large resource hog to do so. Search time exceeds the time frame so it can't keep up with the incoming data.
It's a non trivial volume of data hence the entire requirement to do it on the way in.
I think I'm going to just pull the trigger on it and pray this fixes the issue.
Get Updates on the Splunk Community!
Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
A Prelude to .conf25: Your Guide to Splunk University
Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...
