Save results of saved search back into an index.

johnsasikumar · ‎08-28-2019

Can we save results of a saved search/ search back into splunk. Something similar to a view in SQL database.
Splunk query processes the raw data(Scheduled)--> saves it back to an index.

renjith_nair · ‎08-28-2019

@johnsasikumar,

There are possibly two ways of doing it. Based on your use case, you could choose the better suited one

1 - Using Log events

Using the alert actions, you could send the log events to your splunk deployment for indexing

2 - Summary indexing

With summary indexing, you set up a frequently-running search that extracts the precise information you want. Each time this search is run, its results are saved into a summary index that you designate. You can then run searches and reports on this significantly smaller (and thus seemingly "faster") summary index

https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usesummaryindexing

---
What goes around comes around. If it helps, hit it with Karma 🙂

Save results of saved search back into an index.

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Save results of saved search back into an index.

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem