Knowledge Management

How save the extracted fields into another Index

splunk_worker
Path Finder

Hi

From the complex log, I have extracted all the fields, which is about 60+ fields. I want to save these fields into the new index (using scheduled save search), so that the new index data will be in plain name-value pair and the search results will be faster.

Please let me know how to save the extracted fields include eval fields from one index into another index.

Any example would be great.

Thanks in advance.

Tags (2)
0 Karma
1 Solution

lguinn2
Legend

You could use summary indexing, but I would argue that your search results may not be much faster.

Splunk searches by keywords, not by fields. And every term in your data is already indexed.

View solution in original post

lguinn2
Legend

You could use summary indexing, but I would argue that your search results may not be much faster.

Splunk searches by keywords, not by fields. And every term in your data is already indexed.

splunk_worker
Path Finder

For any real time alerts based on the some pattern like ERROR, the alert creations will be on original events.

The original events doesn't need to be stored longer time in the Indexer as I don't want to write Dashboards search on original logs. Only the new index data which is plain and already extracted will be stored for longer time. It will be easy for users to write any searches aswell.

Please let me know your opinion.

0 Karma

splunk_worker
Path Finder

Basically what I'm looking is, the search time extraction (60+ fields extractions from complex format event log) everytime when Dashboard/search runs will take longer time to display the results. Hence for quicker results, I want schedule a search for every2-3 min and extract all the 60+ fields and store them in a plain name=value pairs in new index. So that, the dashboards/searches for any analytics will be faster loaded.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...