cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
jacksonmcarthur
Engager
Member since: ‎02-25-2020
‎02-18-2021
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎02-25-2020
Activity Feed
View All

Re: Performing procedural search on daily indexed ...

by in Getting Data In
‎02-27-2020 02:46 PM
‎02-27-2020 02:46 PM
Awesome, didn't know that about scheduled searches! Thank you for all the help 🙂 ... View more

Re: Performing procedural search on daily indexed ...

by in Getting Data In
‎02-27-2020 02:00 PM
‎02-27-2020 02:00 PM
Sorry Koshyk, I should clairfy what I mean to ask. I'm all okay with indexing the raw data - what I'm asking about is whether or not it is possible to search the indexed logs only once. I want to perform a search, and output the resulting data to a .csv file. Here is some example code for that: index="myIndex" mySearchTerms | outputcsv myCsvFile.csv append=true But if I perform this search once a day, logs in the index will get searched more than one time, which leads to longer processing times (as the index gets larger), and redundant data making its way into the .csv output. Is it possible to perform a search only on data that has not been searched yet? ... View more

Re: Performing procedural search on daily indexed ...

by in Getting Data In
‎02-26-2020 04:28 PM
‎02-26-2020 04:28 PM
Cool, thanks for the response! I have a follow up question: Can I leverage monitor to make sure that new incoming logs are only searched once? At the moment, the search restarts and reads every indexed log. This becomes a problem when the amount of logs for the month grows to a very large size; the search begins to take many hours to complete. ... View more

Performing procedural search on daily indexed data...

by in Getting Data In
‎02-25-2020 06:32 PM
‎02-25-2020 06:32 PM
Just looking for the best practice solution to the below problem. I'm pretty new to Splunk, so I feel the answer might be quite simple. The problem: Currently, a million logs come into a location daily. At the end of every month, these logs are indexed, and a report based on search results is created. Since thirty million logs are all being processed in a block, it takes a lot of time to index them - and an even longer time to search. The fix: A single search runs over the course of the month, indexing new logs as they arrive, searching them, and appending all results in one large XML, or CSV, or similar. The implementations: • Set an alert that triggers on detecting new files to be indexed. I.e: if not already indexed, index them and immediately run the search on these new files, then append resulting search data to file. • Run tscollect daily on data that is already not indexed in a .tsidx to collect a relevant subset of data from raw, then process it in a block to create a report at end-of-month using the quicker tstats . • Simply set a scheduled search (searching last 24h) to run daily after the logs are indexed, appending results to file. Thanks for the help! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-18-2021 04:16 PM
Karma given to
View All