Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to modify an Event in a particular index?

kanishka97167
Observer
‎06-29-2022 12:04 PM

I am trying to add data into Splunk in Json format. All the events have the same format. Lets say we have some format like this:

[

     field1 : value1

     field2 : value2

]

 

Is is possible for me to update value1 to some value3, given field1? I am looking to first achieve this from website and if this possible, I am looking for REST APIs to achieve the same. 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-29-2022 01:10 PM

You must do this before events have indexed. After those are written to disk you cannot change those.

If you want to change those values before indexing that maybe do by props and transforms. But maybe it's easier to do it totally outside of Splunk?

Can you open with more details what is your issue which you are trying to solve?

0 Karma
Reply

kanishka97167
Observer
‎06-29-2022 01:59 PM

Hi isoutamo,

 

Thanks a lot for the quick response. I am basically trying to add data real time into Splunk for visualization using some dashboards. I am concerned with 3 operations here: Add, Delete and Modify. Adding and Deleting records works fine. But I am unable to find any resources to modify any existing events.

 

Also Could you please help me find some resources where I can add or delete events using the REST APIs that Splunk provides? I am specifically looking for these:

1. Add an event into a particular index

2. Given an index and field name(specific field name in the Json formatted event), delete that event from the index.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
li.common.scroll-to.top