Splunk Search

How to add to an existing non-summary index from a Splunk search if certain results are returned?

jimdiconectiv
Path Finder

I need to be able to add to an existing non-summary index when a Splunk search returns certain results. The new event will be added to an existing custom alerts index --- it is not a regular Splunk alert.

I am so far only finding solutions for doing summary indexing like "collect" which adds overhead. We can do this via calling a script, but I would prefer not to.

0 Karma

lguinn2
Legend

I suggest that you write an scheduled search that triggers an alert action. The action should be "run a script." In the script, simply write whatever you want to record to a log file. In inputs.conf, set a monitor input to read that log file and put the data in the index of your choice.

I have used this technique successfully. I strongly recommend that you follow Splunk's best practices for the log file that you create: Logging best practices

I realize that you said you would prefer not to call a script, but I am unclear why using a scripted alert is more problematic than other kinds of code - I don't know how to do this without writing some code. The search language can only add data to a summary index; you cannot add data to a "non-summary" index without using the normal Splunk input/parsing pipelines. And the only way into the pipelines is via some kind of input...

Another way to keep state information is to use the KV store, but then the data is accessible as a lookup, not searchable as an index. Since you are adding to an existing index, I don't think that is a viable option for your case.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Could you provide more details on what you're try to achieve, probably with some examples?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...