Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Modify source name while summary indexing data

angelinealex
Communicator
‎06-13-2018 11:49 AM

I have a saved search called searchA. I am scheduling this saved search and summary indexing the data. After the scheduler runs i am seeing the source value as searchA (source=searchA). But I would like to have the source value as searchX (source=searchX).

How to achieve it when the scheduler runs or do I have option to change the source name in searchA code itself, so that it can be picked up when the saved search runs?

Can someone help me?

0 Karma
Reply

adonio
Ultra Champion
‎06-13-2018 01:33 PM

hello there,

you can leverage collect command to put results in summary indexes and overwrite the source
.... your search | collect index =<index_name> source=<source_name>
read here more:
http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Collect

hope it helps

0 Karma
Reply

angelinealex
Communicator
‎06-13-2018 02:10 PM

thanks for the response. It works. But it adds the data into summary index when I just run the saved search. I mean run the below query in the search box. 

.... my search | collect index =<index_name> source=<source_name>

Can we control that to modify the source only when the saved search executes during the schedule time? Or is there any other way to change the source name only when the savedsearch executes during scheduled time?

0 Karma
Reply

adonio
Ultra Champion
‎06-13-2018 05:41 PM

not sure exactly what you mean.
a search, scheduled or not, populates the summery index.
convert your saved search to the format above and save it to meet your requirements.
hope i understood your comment

0 Karma
Reply

angelinealex
Communicator
‎06-15-2018 11:17 AM

well.. When we use collect, if someone, by mistake runs the saved search (through open in search option) the data will be summary indexed. I would like to avoid this.

So I want to summary index the data only by scheduling the saved search and change the source_name.

Please let me know if I am not clear.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2018 06:12 AM

There is no way to change the behavior of a search based on whether it was scheduled or not. The collect command will always write to the summary index (unless the testmode option is enabled) every time the search executes.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

adonio
Ultra Champion
‎06-15-2018 01:19 PM

how does that different form sistats or whatever you are doing today?
i feel like i already answered how to rename the source field when summarizing data via search. if not, please elaborate, as i probably did not understand your question

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...