Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the best way to update an index in Splunk to reflect a change in data pulled via a script from a database?

venkat_d
New Member
‎03-19-2015 11:34 AM

What is the best possible way to update an index in Splunk?

Here is my usecase:
Two lines are getting forwarded to Splunk
timestamp1 userid=foo status=active dept=hr
timestamp2 userid=bar status=active state=fin
...

Above values are coming from a script that reads the above data from mysql.
Now, my dashboard says user foo is in dept hr.
Now, I update the database to say user foo is in engineering dept.
I send this data to splunk again like this
timestamp3 userid=foo status=active dept=engineering

This causes issues in the dashboard that it lists user foo in both departments and department hr has an extra entry.

The question is how to update the indexes in splunk?
If it is not possible, how to solve the above problem - that i updated the database but have old+new entries in splunk.

Any suggestions?

0 Karma
Reply

somesoni2
Revered Legend
‎03-19-2015 11:52 AM

You can't update indexed data in splunk. Based on your description of the problem, you want to track OR rather show current status/info of a User (and disregard old status/info)

Options: If you have very less data/number of users, they you can try following:

1) Configure a lookup table file, say user_status_lookup, with required fields like timestamp, userid, state, dept.
2) Configure a scheduled search , that will run at an interval (say 30 min or 1 hr) which take the latest data from the Splunk instance for a User and add (if new user)/update (if existing) in the lookup table. The search could be like this

index=yourIndex sourcetype=yourSourcetype  earliest=-1h@h latest=@d | dedup userid | table timestamp,userid,state,dept | append [|inputlookup user_status_lookup  | table timestamp,userid,state,dept ] | stats first(*) as * by userid | table timestamp,userid,state,dept | outputlookup user_status_lookup

This will take the latest status for user from the raw data, merge it with existing data entries from lookup and update the lookup with latest entries.

3) Update your dashboard to use this lookup data instead of indexed data.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...