- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Modify source name while summary indexing data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Modify source name while summary indexing data
I have a saved search called searchA. I am scheduling this saved search and summary indexing the data. After the scheduler runs i am seeing the source value as searchA (source=searchA). But I would like to have the source value as searchX (source=searchX).
How to achieve it when the scheduler runs or do I have option to change the source name in searchA code itself, so that it can be picked up when the saved search runs?
Can someone help me?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
you can leverage collect command to put results in summary indexes and overwrite the source
.... your search | collect index =<index_name> source=<source_name>
read here more:
http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Collect
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for the response. It works. But it adds the data into summary index when I just run the saved search. I mean run the below query in the search box.
.... my search | collect index =<index_name> source=<source_name>
Can we control that to modify the source only when the saved search executes during the schedule time? Or is there any other way to change the source name only when the savedsearch executes during scheduled time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
not sure exactly what you mean.
a search, scheduled or not, populates the summery index.
convert your saved search to the format above and save it to meet your requirements.
hope i understood your comment
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well.. When we use collect, if someone, by mistake runs the saved search (through open in search option) the data will be summary indexed. I would like to avoid this.
So I want to summary index the data only by scheduling the saved search and change the source_name.
Please let me know if I am not clear.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is no way to change the behavior of a search based on whether it was scheduled or not. The collect command will always write to the summary index (unless the testmode option is enabled) every time the search executes.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how does that different form sistats or whatever you are doing today?
i feel like i already answered how to rename the source field when summarizing data via search. if not, please elaborate, as i probably did not understand your question
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
