Getting Data In

how can I keep the original host name in my summary index?

w199284
Explorer

I would like to duplicate a subset of events to another index. Just an exact duplicate of the original event. Summary indexing works great (as does collect) with the exception that I lose the original host and source information. I need the host. Source would be nice. I have not been able to figure out how to get those values in my summary index. I just don't have the knowledge to see the solution. Can someone help me out?

I have spent a few days looking at other Answers but could not find any that just wanted an exact duplicate event. Actually metasearch came close to doing what I wanted but gave me errors having to do with exceeded maxsearches - and was noticeably slow.

I feel like this ought to be a straightforward thing to do but, after a few days trial and error, I am humbled. I greatly appreciate any help. Thank You.

0 Karma

dflodstrom
Builder

You can use an eval to store the original host value: | eval orig_host=host | collect ...

kpkeimig
Explorer

Watch your output format, the default is raw, optionally can set it to output_format=hec which would pass fields (and not redo extraction).

Example for a raw:
index=_audit source=audittrail sourcetype=audittrail host=sh* user=*
| eval _raw=_raw . ", " . "orig_host=" . host
| collect index=test source=audittrail sourcetype=audittrail

0 Karma

w199284
Explorer

Thank you dflodstrom! I tried this technique and it sort of worked. I did not get a new field in my summary index named orig_host but the source value WAS updated to the original hostname. It is quite likely I am omitting something. There is so much I don't know about Splunk!

Before adding "eval" source = /opt/splunk/var/spool/splunk/c4f34f0ea0dcaeb2_events.stash_new

After adding "eval" source = abc.xyz.com

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...