Author: George Starcher (starcher) Email: [email protected]
This is a rework of the modular alert made for the Splunk 2016 .conf talk on KVStore by myself and Duane Waddle. It includes the original modular alert to send search results to a remote KVStore collection.
Now it has two modular inputs. One to pull a remote KVStore to a local KVStore. The other pulls the remote KVStore and indexes it in JSON format.
All materials in this project are provided under the MIT software license. See license.txt for details.
- Splunk 6.3+
- Supported on Windows, Linux, MacOS, Solaris, FreeBSD, HP-UX, AIX
- Configured KVStore Collections
- Install to your $SPLUNK_HOME/etc/apps directory
- Restart Splunk
First you need to setup the TA by adding the appropriate Splunk User with permissions to the remote KVStore. This is stored in the Splunk Encrypted password storage.
Devise your search that results are a table matching the format for the remote KVStore based table (collection). Schedule the search and attach the modular alert to send the results to the remote KVStore.
The alert has been updated that if a field has '\n\ new line characters in it that it will be sent as a multivalue. This is because the alert is most often used with inputlookup of a kvstore you want to send across and the nultivalue fields were being turned into single value strings.
This expects the same collection definition on the source KVStore as the local receiving KVStore.
This pulls the remote KVStore and drops the hidden fields. It exposes the _key from the KVStore as a field named key and adds the json formatted records to the deestination index.
You have the option to replace the destination KVStore table. This means a delete all data is executed before the new table results are added.
The update option just adds the results to the table. If the _key field matches then it updates the existing records.