Splunk Cloud Platform
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Send alerts data to new index using collect command

iamsplunker
Communicator
‎10-31-2023 11:54 AM

Hi Splunkers

I'm trying to send alerts data from one index to another using a macro
For ex: The macro is having 4 arguments like below and would like to send data to new index called "newidx" using collect command

here is the macro called `newmacro`
eval apple=xyz, banana=abc, mango=www, grape=123 | collect index=newidx

the idea is wherever I reference this macro in an alert that exact alert raw data need to be copied to the newidx but the sourcetype always changes as stash instead of original. I don't see all original fields in summary index

Is there any way to define a sourcetype something like |collect index=newidx sourcetype=$sourcetype$

Labels (1)
Labels
Tags (3)
0 Karma
Reply

_JP
Contributor
‎10-31-2023 12:14 PM

The collect command does allow you to define a sourcetype.  Note that the stash sourcetype is special as it doesn't hit your license volume.  When you use collect with a different sourcetype Splunk considers it "new" data since you may not be generating summarizing statistics on data already indexed.

Also, since this is tied to an alert, would using the Log Event Alert Action be sufficient?

0 Karma
Reply

iamsplunker
Communicator
‎10-31-2023 12:24 PM

@_JP thanks for your response. I'm not trying to define a new sourcetype here. Instead I want the same sourcetype to be collected from search.

I cannot define the custom sourcetype after collect command because the sourcetype varies based on the type of alert/alertname.

I want to reference this macro in most of the alerts!

0 Karma
Reply

_JP
Contributor
‎10-31-2023 01:15 PM

Are you collecting events from a lot of different sourcetypes?  If you just have one sourcetype per alert can you pass it into the macro like you would other parameters?

I configured a macro like the following:

_JP_0-1698782914777.png

And then was able to use it like this:

index=_internal earliest=-15m | stats count by component | `collect_macro(the_index=summary,the_sourcetype=special_sourcetype)`

 

And then in my summary index I saw stuff appear with the special_sourcetype instead of stash:

 

_JP_1-1698783198973.png

 

 

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...