Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk logs dedup/consolidation

astatrial
Contributor
‎04-01-2019 08:36 AM

Hi Splunkers!

Do any of you know if there is a built-in feature or mechanism in Splunk that aggregates similar logs into one log?

In other words, i want to know if Splunk knows not to index identical or similar logs, and by that, to reduce the license's usage.

I know that this can be achieved by manually editing the props and transforms files, but if i'm not wrong, this process will need to be done specifically to every log structure.

I'm looking for something more generic and on the back-end

Thanks !

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-01-2019 04:47 PM

Splunk forwarders will not ingest the same file twice (there are ways around that), but the same data from multiple sources are happily onboarded.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

astatrial
Contributor
‎04-02-2019 12:04 AM

Hi, thanks for the response,
I will try to explain myself better.
I want to know if there is any process that Splunk does referring to the content of the log, and not on the file level.
For example, if there is an event with the same parameters at the same timestamp/very close timestamps, it will indexed only one time.
Like coalescing in QRadar.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-02-2019 06:48 AM

Splunk ingests everything. There is no automatic deduplication.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

astatrial
Contributor
‎04-02-2019 06:56 AM

Thanks, I already managed to put together an answer for that.
There is a raw data compression, which is approximately 40%-50% than the original raw data size, but it doesn't affect the license.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-02-2019 01:38 PM

Data compression is not the same as deduplicating or coalescing.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

astatrial
Contributor
‎04-03-2019 01:05 AM

Yes, i am aware of that, but as well as i could find, this is the only built-in thing that decrease the size of the logs in Splunk (as you mentioned, there is no deduplicating or coalescing).
In any case, thanks for everything.

0 Karma
Reply

adonio
Ultra Champion
‎04-01-2019 03:16 PM

what is the problem you are trying to solve?
where is the data coming from? can you elaborate on the meaning of "... similar logs into one log ..."?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...