Re: how can I keep the original host name in my su...

w199284 · ‎04-01-2019

I would like to duplicate a subset of events to another index. Just an exact duplicate of the original event. Summary indexing works great (as does collect) with the exception that I lose the original host and source information. I need the host. Source would be nice. I have not been able to figure out how to get those values in my summary index. I just don't have the knowledge to see the solution. Can someone help me out?

I have spent a few days looking at other Answers but could not find any that just wanted an exact duplicate event. Actually metasearch came close to doing what I wanted but gave me errors having to do with exceeded maxsearches - and was noticeably slow.

I feel like this ought to be a straightforward thing to do but, after a few days trial and error, I am humbled. I greatly appreciate any help. Thank You.

dflodstrom · ‎04-01-2019

You can use an eval to store the original host value: | eval orig_host=host | collect ...

kpkeimig · ‎06-09-2022

Watch your output format, the default is raw, optionally can set it to output_format=hec which would pass fields (and not redo extraction).

Example for a raw:
index=_audit source=audittrail sourcetype=audittrail host=sh* user=*
| eval _raw=_raw . ", " . "orig_host=" . host
| collect index=test source=audittrail sourcetype=audittrail

w199284 · ‎04-02-2019

Thank you dflodstrom! I tried this technique and it sort of worked. I did not get a new field in my summary index named orig_host but the source value WAS updated to the original hostname. It is quite likely I am omitting something. There is so much I don't know about Splunk!

Before adding "eval" source = /opt/splunk/var/spool/splunk/c4f34f0ea0dcaeb2_events.stash_new

After adding "eval" source = abc.xyz.com

how can I keep the original host name in my summary index?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!