Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Getting data from Elastic Search

ronak
Path Finder
‎01-16-2015 08:38 AM

Hi

Can you share sample scripts or configuration setting for me to get data from elastic search in an incremental manner?

The source data is information about event with updated_at to get the incremental information. Other attributes include event_name, event_location, event_start_time, event_end_time

thanks, ronak

Tags (2)
0 Karma
Reply

larmesto
Path Finder
‎09-25-2018 11:50 AM

This might be helpful for anyone visiting; I have started working on an addon for Elasticsearch instances, feel free to use it!
https://splunkbase.splunk.com/app/4175/

0 Karma
Reply

wsnyder2
Path Finder
‎05-24-2016 08:31 AM

I found this ... not sure if/how it works http://devpost.com/software/splunk-elasticsearch

0 Karma
Reply

somesoni2
Revered Legend
‎01-16-2015 10:59 AM

Could you provide more information on what you need here? Is the data already indexed and you just want to search and get the latest/updated incremental data?

0 Karma
Reply

ronak
Path Finder
‎01-16-2015 12:05 PM

hi - Yes, the data resides in ES.

0 Karma
Reply

chrisboy68
Contributor
‎01-16-2015 12:28 PM

Not sure what you are trying to do, but you could ship the data you already have to Elasticsearch to Splunk simultaneously. I'm doing this to evaluate both products.

Chris

Reply

ronak
Path Finder
‎01-16-2015 12:54 PM

Chris

Some system, that can send data to one destination , in my enterprise has already sent data to ES. My objective is to extract the data from ES and give to splunk for indexing.

I'm looking for a template script or configuration that someone might have already done to extract data from ES ...

Hope this helps clarify

appreciate any pointers

thanks, ronak

0 Karma
Reply

pedro50
New Member
‎09-28-2015 06:18 AM

Hi Ronak,

we are facing the same situation, would like to got ALL syslog data from elastich search to Spunk.
You have been able to solve the issue

Many txs in advance

0 Karma
Reply

masonmorales
Influencer
‎09-28-2015 07:12 AM

I agree with Chris on this. Anyone looking to do this would be better off installing a UF (or HF) on the same data source that ES is using (e.g. syslog server). Even if you had an easy way to port data from ES to Splunk, you would be introducing a new point of failure, and would inherit any issues ES has with data integrity, availability, etc.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...