How to add to an existing non-summary index from a...

jimdiconectiv · ‎05-09-2016

I need to be able to add to an existing non-summary index when a Splunk search returns certain results. The new event will be added to an existing custom alerts index --- it is not a regular Splunk alert.

I am so far only finding solutions for doing summary indexing like "collect" which adds overhead. We can do this via calling a script, but I would prefer not to.

lguinn2 · ‎05-09-2016

I suggest that you write an scheduled search that triggers an alert action. The action should be "run a script." In the script, simply write whatever you want to record to a log file. In inputs.conf, set a monitor input to read that log file and put the data in the index of your choice.

I have used this technique successfully. I strongly recommend that you follow Splunk's best practices for the log file that you create: Logging best practices

I realize that you said you would prefer not to call a script, but I am unclear why using a scripted alert is more problematic than other kinds of code - I don't know how to do this without writing some code. The search language can only add data to a summary index; you cannot add data to a "non-summary" index without using the normal Splunk input/parsing pipelines. And the only way into the pipelines is via some kind of input...

Another way to keep state information is to use the KV store, but then the data is accessible as a lookup, not searchable as an index. Since you are adding to an existing index, I don't think that is a viable option for your case.

somesoni2 · ‎05-09-2016

Could you provide more details on what you're try to achieve, probably with some examples?

How to add to an existing non-summary index from a Splunk search if certain results are returned?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases