Getting Data In

is ETL a prerequisite for moving data into Splunk?

rc0rning
New Member

I'm trying to understand if i can move raw data directly into splunk without any indexing

Tags (1)
0 Karma
1 Solution

mhassan
Path Finder

You must index the data if you want it "ingested" into splunk! It will go against you daily licenses.

View solution in original post

0 Karma

hemendralodhi
Contributor

I suggest you should read some basics before jumping on anything: Refer below link to have some basic idea about Splunk and how it works.

There are numerous ways of getting data in Splunk and indexing is a must in-built functionality of Splunk where it stores data as indexes so that user can query the data fast. You don't have to worry about indexing as Splunk will do it automatically, just check how i can get the data in.

http://docs.splunk.com/Documentation/Splunk/latest/Overview/AboutSplunkEnterprise
http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor

0 Karma

sundareshr
Legend

This is a great online tutorial on splunk. Good starting point for novices. I would recommend this

http://www.splunk.com/view/SP-CAAAH9U

0 Karma

mhassan
Path Finder

You must index the data if you want it "ingested" into splunk! It will go against you daily licenses.

0 Karma

jkat54
SplunkTrust
SplunkTrust

The act of indexing is required to be able to see the data in splunk.

However, you can always send data in via rest API, or UDP/TCP, etc. These methods dont require any ETL however, you might not get the expected results.

You technically dont have to do any traditional ETL process to get data into splunk, you just need to read the data in. If you want proper event breaks, timestamps, etc, you need to configure a sourcetype in some cases, but in many cases splunk defaults detect the correct timestamp and event breaks are every new line (crlf or \n\r or end of file).

0 Karma

rc0rning
New Member

Your first answer was: "The act of indexing is the act of moving data into Splunk"

Your latest is: The act of indexing is required to be able to see the data in Splunk.

Confused: which is it? Is it required to add data into Splunk or is the mere act of adding the data? The difference seems substantial,

Please help, as you may see I;m a novice user

0 Karma

jkat54
SplunkTrust
SplunkTrust

Just download a trial and see for yourself. Indexing data is as simple as you make it. What you can do with the data afterward varies based on how well you indexed it to begin with. ETL need not be a deal breaker because Splunk doesn't require structured data.

0 Karma

rc0rning
New Member

Be merciful, I'm a total novice 😞

So if indexing data is merely putting it into into Splunk, I don't understand you statement "What you can do with the data afterward varies based on how well you indexed it to begin with. Are you referring to indexing performed before the ingestion into Splunk?

0 Karma

jkat54
SplunkTrust
SplunkTrust

Think about it... Did I edit my answer to make it incorrect?

I edited it to make more sense.

What is it that you think is involved in indexing?

The index is THE Splunk data store. Indexing data is the act of putting data into the index. If you don't have either, what data is there to search?

Both of my answers were correct to a degree.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...