Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to duplicate data to another index without resending back to tcpout?

Lucas_K
Motivator
‎05-10-2016 05:25 PM

I have a situation where I'd like to duplicate some or all events going to one index into another.

The only point at which I can touch the data is as it hits the indexers. I can't use another heavy forwarder to do the duplication in flight.

In reading the docs, I've come up with this, but I think I'm missing something fundamental.

At a basic level below is sort of what I want:

props.conf

[mydupesourcetype]
TRANSFORMS-duplicate = original_index, duplicate_index

transforms.conf

[original_index]
FORMAT = indexa
REGEX = (.)
DEST_KEY = _MetaData:Index

[duplicate_index]
REGEX = mydupesourcetype
FORMAT = indexb
SOURCE_KEY = MetaData:Sourcetype
DEST_KEY = _MetaData:Index

http://docs.splunk.com/Documentation/Splunk/6.4.0/Forwarding/Routeandfilterdatad

This would mean the props and transforms above would never work as it would just rename the index in the duplicate_index stanza.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-10-2016 07:16 PM

You can use collect to copy existing data to another index or you can use CLONE_SOURCETYPE to clone new data as it comes in (but it has to be cloned to a different sourcetype).

0 Karma
Reply

Lucas_K
Motivator
‎05-19-2016 07:07 PM

Clone_sourcetype. Hmm haven't seen that one before will have to investigate the one.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎05-10-2016 06:25 PM

Hi Lucas K,

a quick thought here, how about using a collect search to duplicate some events into the new index or if you want to duplicate all events into the new index copy the buckets?

cheers, MuS

0 Karma
Reply

Lucas_K
Motivator
‎05-19-2016 07:06 PM

Thanks! Unfortunately it doesn't get me the "like for like" proof I'm after it will also be a large resource hog to do so. Search time exceeds the time frame so it can't keep up with the incoming data.

It's a non trivial volume of data hence the entire requirement to do it on the way in.

I think I'm going to just pull the trigger on it and pray this fixes the issue.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...