Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

.

Ash1
Communicator
‎09-14-2024 12:00 PM


.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2024 10:43 PM

Hi @Ash1 ,

as also @PickleRick said, copying logs from one index in another one you pay twice your license (if you want to maintain the same sourcetype), is this acceptable for you?

Why do you want to do this?

if the reason is the access grants you could use 4 indexes for EP data and one for both EP and EM data, in this way you don't need to duplicate them.

Anyway, there is one way to copy logs from an index to another and it isn't relevant if they come from 4 indexes and must be copied in one:

1)

schedule a search and add at the end the collect command, something like this:

index IN (app-ep-index1, app-ep-index2, app-ep-index3, app-ep-index4) <condition_of_the_log_to_be_copied>
| collect index=app-em-index sourcetype=ypur_sourcetype)

this solution has three limits:

  • you pay twice the license,
  • there's a delay in the data availability in the app-em-index,
  • yu have to schedule one search for each sourcetype you want to copy. 

My hint is to send common logs to one index and give grants to both the groups to this index.

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-15-2024 04:34 AM

@gcuselloYou don't have to do it separately for each sourcetype. If you use output_format=hec with collect you can either retain the original sourcetype or modify it dynamically.

@Ash1giving shared access to those 4 indexes would probably the way to go. If you don't wajt your users to have to type in all four indexes names, just define a macro or eventtype.

Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-14-2024 12:27 PM

Firstly, what do you mean by move? Secondly, why don't you just send the data to the right index in the first place?

0 Karma
Reply

Ram2
Explorer
‎09-14-2024 12:31 PM

Hi @PickleRick 

Firstly, what do you mean by move? — We want the logs to be in both EM and EP Splunk.

Secondly, why don't you just send the data to the right index in the first place? — We don’t want to create 4 indexes we want to reroute to 1 index only

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-14-2024 01:37 PM

Ah, so you don't want to move events but copy them. You can't easily do that.

You could duplicate events using CLONE_SOURCETYPE but thst works per sourcetype, not destination index.

So depending on your use case you could either try to duplicate events before ingeting them to Splunk or batch-copy them using the collect command with a scheduled search post-indexing.

You are aware that those events will consume your license twice?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...
Top