Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to stream real-time search results into a summary index or another index?

clyde772
Communicator
‎04-14-2015 08:26 AM

I had some pre-processing requirement using splunk real-time search, so once I put together those results, I would like to stream the results of the real-time search in another index. I couldn't figure out a way to do it, so I ended up writing a python script that kicks off a real-time search and pipes the results as scripted input.

There's gotta be a better way of doing this! Anybody had similar demands?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

stephanefotso
Motivator
‎04-14-2015 09:01 AM

Try the collect command. something like this:

   ............ | collect index=newindex

For more informations, take a look here: http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Collect

SGF

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

stephanefotso
Motivator
‎04-14-2015 09:01 AM

Try the collect command. something like this:

   ............ | collect index=newindex

For more informations, take a look here: http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Collect

SGF
0 Karma
Reply
Solved! Jump to solution

clyde772
Communicator
‎04-14-2015 09:05 AM

Stephanefotso, thanks for the reply! Of course I have tried that, but with real-time search, it wound not write the results until I stop the search. I am trying to make it to just stream into an index, as a real-time search crunches out the rows. Let me know if you have any other thoughts.

Appreciate it!

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎04-16-2015 01:36 AM

Surprising! OK annother way to do it is to create an alert, wich, wen triggered, populate a summary index you have created. You can set a condition for the alert to be triggered as when the number of events is greatter than 0, or setup a Real Time alert. i did it and it is working perfectly!
Let me know your impression!

SGF
Reply
Solved! Jump to solution

clyde772
Communicator
‎04-16-2015 05:53 PM

Stephanefotso, That's a great idea. It's great, how we can tweak Splunk to do anything huh? Thanks! Let me give it a shot!

0 Karma
Reply
Solved! Jump to solution

joy76
Path Finder
‎01-06-2016 01:38 AM

Hi
I tried it. But failed. Im using splunk 6.1.9.
Is Splunk version wrong?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...