Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the best method to write all event to RFS with Ingest Actions?

dokaas_2
Communicator
‎06-01-2023 01:30 PM

Our requirements are to have readily searchable data for 12 months and 'cold store' of data for an additional 18 mths (30 mths total).  Ingest Actions seems like the obvious choice since it can write to an S3 bucket and compress the data in a format easily re-ingested or passed to a 3rd party if needed.  However, the ingest actions seem to only work given you apply the ruleset to a sourcetype.  Given that there may be a hundred or more sourcetypes, this is a little onerous.  Is there a method to accomplish this w/o creating a ruleset for every sourcetype?

Labels (3)
Tags (3)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-01-2023 02:13 PM

Use a coldToFrozenScript for each index you wish to archive to S3.  Splunk will invoke the script for each bucket that reaches the end of its searchable lifetime.  Details are in the Admin Manual.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dokaas_2
Communicator
‎06-05-2023 03:40 AM

That script, I believe, moves frozen buckets to an S3 storage location.  However, I what I want is to use the ingest actions  (Settings / Data / Ingest actions) to write all raw events in compressed JSON format.  Ingest actions is per source type and with nearly 100 or more source types, manually creating one for each is onerous.  

Ingest actions use RULESET in the props to define how to store on the Remote File System (RFS).

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-05-2023 04:17 AM

Hi

you should remember that with IA you could use S3 only if you are running that instance on AWS!

Splunk have "secret" wildcard for sourcetype in props.conf. I don't know if it works also for IA RULESET or not and can you use it via GUI or not. You can read more from https://www.splunk.com/en_us/blog/tips-and-tricks/quick-tip-wildcard-sourcetypes-in-props-conf.html. BUT remember that this is not officially supported and it can removed anytime!!

For that reason I also prefer @richgalloway 's proposal to use cold2frozen script. 

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...