Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

can we execute a script or savedsearch as soon as source has some event to the indexer

khreddy
Explorer
‎08-24-2023 09:56 AM

I have a requirement to process and correlate the data as soon as things come in.

The data has some triggering events, which can be identified and used.

Is that possible in splunk to run something based on the incoming data.

0 Karma
Reply

khreddy
Explorer
‎08-24-2023 12:43 PM

I mean to run the search or script as soon as the data enters into the splunk indexer ... like applying transforms or sed on incoming data .... similarly can we trigger a script and do get additional info and index them into splunk while indexing ........not running on the splunk UI as realtime job.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-24-2023 05:14 PM

There's no such thing as index-time search or script execution.  You can use transforms or Ingest Actions to act on the data before it is indexed, but there are limits to what can be done.  If you use Splunk Cloud then Edge Processor may be a solution.  There also are third-party products that may be able to help.

Depending on how that data is ingested, you may be able to use a scripted or modular input instead.  That script can do anything you like to the data before it's indexed.

Keep in mind that the more you try to do to the data in the indexer the slower indexing will be.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-24-2023 10:32 AM

Saved searches can run as a real-time search, which means they will process events as soon as they arrive.  There is no equivalent for scripts.

That said, real-time searches should be avoided.  Every real-time search is pinned to a CPU so no other searches will use the CPU (that applies to the SH and *all* indexers).

Chances are a requirement for "real-time" processing doesn't mean "0 seconds delay".  A search that runs once each minute often can satisfy most requirements.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...