Splunk Enterprise Security

Is it possible to add a custom pipe-line?

nandha_2
Engager

Hi there,

I would like to add a custom pipeline before indexer pipe-line? Does Splunk provide the feasibility?

Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi nandha_2,
No, if you need to elaborate your logs before indexing, you have to run a pre-parsing script outside Splunk and index the output file.

We had to encrypt a field in a log file using a key, because our customer wanted to archive this data in encrypted format, but they also wanted the possibility to recreate the original value using the encryption key.
To do this, we used a script that parsed the log file and after we indexed it.

To do this is easy if you have a syslog data flow or a file on the Splunk server, but less easy if you receive logs via Forwarder, because, you have to distribute the external script in every Forwarder.

In addition, you lose the real time monitoring because there is always a delay between the log arrive and the indexing time.

We asked to Splunk to insert the possibility to run a script before indexing, but not yet.

Bye.
Giuseppe

0 Karma

nandha_2
Engager

Dear Splunk Team,

I am using splunk api (push mech) to retrieve all index notables, so i can see them in the ticketing system!!

First i send a query (using splunk api) to the index notables to get all the notables within the timeframe of 5 mins and assume that i have 20 notables and all the 20 notables have the "drill_down" search command. This is just one query.

Now i have to hit 20 times in the search head to retrieve all the related events for each notables incidents. (aka) you know the drill-down provide the search for Contributing Events (Drill-down). right ?

now i dont want to hit 20 times to get all the drill-down search. A slight change in the approach,

can i hold all the events which matched the correlation search of splunk es app, before it get indexed in the notable index. ?

so thats like --> Cor.search runs --> (store all the contributing events in a file) --> then allow splunk to index in the index=notable disk.

this is where a custom pipeline inside the indexer pipeline should help me to achieve.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

What would the function of that custom pipe be? What is the use-case?

0 Karma

nandha_2
Engager

please find my comments inside.!!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...