Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

.

Ash1
Communicator
‎09-14-2024 12:00 PM


.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2024 10:43 PM

Hi @Ash1 ,

as also @PickleRick said, copying logs from one index in another one you pay twice your license (if you want to maintain the same sourcetype), is this acceptable for you?

Why do you want to do this?

if the reason is the access grants you could use 4 indexes for EP data and one for both EP and EM data, in this way you don't need to duplicate them.

Anyway, there is one way to copy logs from an index to another and it isn't relevant if they come from 4 indexes and must be copied in one:

1)

schedule a search and add at the end the collect command, something like this:

index IN (app-ep-index1, app-ep-index2, app-ep-index3, app-ep-index4) <condition_of_the_log_to_be_copied>
| collect index=app-em-index sourcetype=ypur_sourcetype)

this solution has three limits:

  • you pay twice the license,
  • there's a delay in the data availability in the app-em-index,
  • yu have to schedule one search for each sourcetype you want to copy. 

My hint is to send common logs to one index and give grants to both the groups to this index.

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-15-2024 04:34 AM

@gcuselloYou don't have to do it separately for each sourcetype. If you use output_format=hec with collect you can either retain the original sourcetype or modify it dynamically.

@Ash1giving shared access to those 4 indexes would probably the way to go. If you don't wajt your users to have to type in all four indexes names, just define a macro or eventtype.

Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-14-2024 12:27 PM

Firstly, what do you mean by move? Secondly, why don't you just send the data to the right index in the first place?

0 Karma
Reply

Ram2
Explorer
‎09-14-2024 12:31 PM

Hi @PickleRick 

Firstly, what do you mean by move? — We want the logs to be in both EM and EP Splunk.

Secondly, why don't you just send the data to the right index in the first place? — We don’t want to create 4 indexes we want to reroute to 1 index only

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-14-2024 01:37 PM

Ah, so you don't want to move events but copy them. You can't easily do that.

You could duplicate events using CLONE_SOURCETYPE but thst works per sourcetype, not destination index.

So depending on your use case you could either try to duplicate events before ingeting them to Splunk or batch-copy them using the collect command with a scheduled search post-indexing.

You are aware that those events will consume your license twice?

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top