Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how can I keep the original host name in my summary index?

w199284
Explorer
‎04-01-2019 05:12 PM

I would like to duplicate a subset of events to another index. Just an exact duplicate of the original event. Summary indexing works great (as does collect) with the exception that I lose the original host and source information. I need the host. Source would be nice. I have not been able to figure out how to get those values in my summary index. I just don't have the knowledge to see the solution. Can someone help me out?

I have spent a few days looking at other Answers but could not find any that just wanted an exact duplicate event. Actually metasearch came close to doing what I wanted but gave me errors having to do with exceeded maxsearches - and was noticeably slow.

I feel like this ought to be a straightforward thing to do but, after a few days trial and error, I am humbled. I greatly appreciate any help. Thank You.

0 Karma
Reply

dflodstrom
Builder
‎04-01-2019 08:07 PM

You can use an eval to store the original host value: | eval orig_host=host | collect ...

Reply

kpkeimig
Path Finder
‎06-09-2022 09:50 PM

Watch your output format, the default is raw, optionally can set it to output_format=hec which would pass fields (and not redo extraction).

Example for a raw:
index=_audit source=audittrail sourcetype=audittrail host=sh* user=*
| eval _raw=_raw . ", " . "orig_host=" . host
| collect index=test source=audittrail sourcetype=audittrail

0 Karma
Reply

w199284
Explorer
‎04-02-2019 05:09 PM

Thank you dflodstrom! I tried this technique and it sort of worked. I did not get a new field in my summary index named orig_host but the source value WAS updated to the original hostname. It is quite likely I am omitting something. There is so much I don't know about Splunk!

Before adding "eval" source = /opt/splunk/var/spool/splunk/c4f34f0ea0dcaeb2_events.stash_new

After adding "eval" source = abc.xyz.com

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...