Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to copy events from a search result to another index?

jpillai
Path Finder
‎06-21-2023 10:54 PM

Hi all,

We have a an index (say log_index) where the log retention is only 7 days. We can not have this increased to larger values due to disk space restrictions. Now, we have a  requirement where we would like to retain small parts of the logs in log_index for future reference, like search result for "index=log_index level=ERROR" for a 10 minute window or something.

Is it possible to copy a search result to another index which has a longer log retention?

I know we could export events, but it would be better to have these in a separate index so everyone will be able to make use of the same splunk log analytics tools on these.

Also I dont want to reindex logs since that will again be using up license available.

0 Karma
Reply

jpillai
Path Finder
‎06-22-2023 10:24 PM

Excellent. Thanks for sharing the details. I will try this out 🙂 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-22-2023 11:11 PM

Hi @jpillai ,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-21-2023 11:09 PM

Hi @jpillai,

yes, you can c opy the results of a search in a summary index without additional license consuption.

You should see the collect command (https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Collect).

If you want to save only some fields, you can run something like this.

index=log_index level=ERROR
| table _time host user field1 field2 field3
| collect index=my_summary_index

if you want also the raw log, you can add the _raw field to the table command:

index=log_index level=ERROR
| table _time host user field1 field2 field3 _raw
| collect index=my_summary_index

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...