Hello guys,
how to add events to an index like logevents but without using alert (using a search for instance)?
There is "collect" command but not sure it applies to non-summary indexes?
Thanks.
Splunk 6.5.2 clustered environment.
Yes, you CAN use collect
. Or you could set up your configuration to use CLONE_SOURCETYPE
, depending on your use case.
Despite the name, asummary index
does not necessarily have to contain only a summary style of data. Summary indexes provide a method to store pretty much any stuff you want. It can contain an entire copy of raw events, or even a copy of raw events with additional enrichment data added, making the detail events even bigger. If you need a different retention length for certain kinds of events, you CAN copy them to a summary index for that kind of treatment. Or you could use CLONE_SOURCETYPE
.
There are lots of tools in the shed around here. If you tell us a little more about what you are trying to accomplish, then we can steer you through your options.
Yes, you CAN use collect
. Or you could set up your configuration to use CLONE_SOURCETYPE
, depending on your use case.
Despite the name, asummary index
does not necessarily have to contain only a summary style of data. Summary indexes provide a method to store pretty much any stuff you want. It can contain an entire copy of raw events, or even a copy of raw events with additional enrichment data added, making the detail events even bigger. If you need a different retention length for certain kinds of events, you CAN copy them to a summary index for that kind of treatment. Or you could use CLONE_SOURCETYPE
.
There are lots of tools in the shed around here. If you tell us a little more about what you are trying to accomplish, then we can steer you through your options.
hello,
yes ti does,
look here:
https://answers.splunk.com/answers/34946/move-some-content-source-from-one-index-to-another-index.ht...
hope it helps