Solved: How to register log event by SPL.

smart111 · ‎12-23-2021

Does anyone know how to register log event to another index by SPL.

I'm assuming the answers like registering recodes from lookup file to an index executing a SPL regularly.

If there any way like that, please give your answer.

VatsalJagani · ‎12-23-2021

@smart111 - By registering an event, do you mean, indexing an event to index?

If so, then you can try using `collect` command.

For example if you wish to ingest entries from lookup file to index, your search would look something like this:

| inputlookup <your-lookup> | collect index=<index> sourcetype=<source>

- if the lookup is large, just make sure this event indexing is subject to license consumption just like normal Splunk data ingestion.

https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchReference/Collect

View solution in original post

VatsalJagani · ‎12-23-2021

@smart111 - By registering an event, do you mean, indexing an event to index?

If so, then you can try using `collect` command.

For example if you wish to ingest entries from lookup file to index, your search would look something like this:

| inputlookup <your-lookup> | collect index=<index> sourcetype=<source>

- if the lookup is large, just make sure this event indexing is subject to license consumption just like normal Splunk data ingestion.

https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchReference/Collect

smart111 · ‎12-23-2021

Thank you @VatsalJagani

That's really big help to me.

I could see a slution for the problem.

I appreciate.

How to register log event by SPL.

Analytics Workspace

using Splunk Cloud

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Are you a member of the Splunk Community?