How to copy events from a search result to another...

jpillai · ‎06-21-2023

Hi all,

We have a an index (say log_index) where the log retention is only 7 days. We can not have this increased to larger values due to disk space restrictions. Now, we have a requirement where we would like to retain small parts of the logs in log_index for future reference, like search result for "index=log_index level=ERROR" for a 10 minute window or something.

Is it possible to copy a search result to another index which has a longer log retention?

I know we could export events, but it would be better to have these in a separate index so everyone will be able to make use of the same splunk log analytics tools on these.

Also I dont want to reindex logs since that will again be using up license available.

jpillai · ‎06-22-2023

Excellent. Thanks for sharing the details. I will try this out 🙂

gcusello · ‎06-22-2023

Hi @jpillai ,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello · ‎06-21-2023

Hi @jpillai,

yes, you can c opy the results of a search in a summary index without additional license consuption.

You should see the collect command (https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Collect).

If you want to save only some fields, you can run something like this.

index=log_index level=ERROR
| table _time host user field1 field2 field3
| collect index=my_summary_index

if you want also the raw log, you can add the _raw field to the table command:

index=log_index level=ERROR
| table _time host user field1 field2 field3 _raw
| collect index=my_summary_index

Ciao.

Giuseppe

How to copy events from a search result to another index?

other

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!