Re: Index access from scripted or modular input

chrisdev · ‎03-18-2021

Is it possible to access the index from a scripted or modular input? And is the standard way of doing this via the SDK features as shown in examples such as search.py?

richgalloway · ‎03-18-2021

Scripted and modular inputs are input-only. Technically, they don't access indexes at all, but produce output which Splunk then writes to an index.

What problem are you trying to solve?

---
If this reply helps you, Karma would be appreciated.

chrisdev · ‎03-18-2021

Thank you.

Weighing up my options for deduplication of events at index time. Doesn't seem like the correct approach if it's bad practice to access an index from a scripted/modular input.

I know that there's a dedup command at search time, however ideally I wouldn't have duplicate events in the index. The source of these events, which im not in control of, may produce duplicates.

richgalloway · ‎03-18-2021

I suggest the modular input cache events internally rather than try to fetch them from an index. If a new event is in the cache then it's a duplicate and can be discarded; otherwise, index it and add it to the cache. Yes, the cache will limit your look-back for duplicates, but will perform vastly better than scanning an index for every incoming event. You'll still need to handle duplicates at search time, but there will be far fewer of them.

---
If this reply helps you, Karma would be appreciated.

Index access from scripted or modular input

modular input

Python

scripted input

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation