Solved: How to save a filtered set of events to a seperate...

jameshgibson · ‎07-22-2013

We have a system that produces several GB of logs per day. Of that there is only maybe a few MB that contains information that is worth searching through in Splunk. What I would like to do is set up a scheduled search that saves just the events we care about to a seperate index to help improve search speeds.

I have been trying to use summary indexing for this but I seem to lose all the _time data that go with the events. Is there anyway just to save the filtered events?

Ayn · ‎07-22-2013

collect?

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Collect

View solution in original post

Ayn · ‎07-22-2013

collect?

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Collect

jameshgibson · ‎07-22-2013

I have given it a go but the _time field doesn't get save in the index I specify. It just defaults all the events to the time I started the search. Is there something else I need to do?

How to save a filtered set of events to a seperate index?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to save a filtered set of events to a seperate index?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem