Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Indexing updatable data from a relational database

ecoquelin
Explorer
‎07-24-2018 12:54 AM

Dear all,

I am wondering what is the best strategy regarding indexing data coming from a relational database which could change over the time.

Let's take the example of a CRM where you could find a table called "CUSTOMER". That record contains several infos like "last name", "first name" or "address". "Address" field may change over time.

If I index that record (and the others from the same table) because I would like to provide some statistics regarding my customer base using splunk, what would be the best strategy to handle the case where one field may change ?

If my indexation strategy is based on a "modifiedDate" field, the record will get indexed as many times as there are modifications in my table. But as a result, I will get the same customer several times in my index and the statistical results will become wrong.

What would you advise ?

Tags (1)
0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎07-24-2018 06:56 AM

Splunk does not allow for updating of indexed data. So you are correct that each time there is a change, you will have a new event in Splunk. However, you can still analyze the data correctly by only looking at the latest data by customer. Here is an example:

Sample Data:

custname,mydata,moddate
John Smith,123,07/24/18 09:40:00
Bob Jones,987,07/22/18 12:00:00
Sue Simmons,576,04/12/18 08:00:00
John Smith,321,03/20/17 15:00:00
Bob Jones,142,05/11/16 08:00:00

Search:

index="scratchpad" sourcetype="updateddata" 
| stats latest(mydata) by custname

Search Results:
alt text

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...