Storing raw events in a summary index
Sometimes it is desirable to copy events to another index. I have seen a couple of reasons for doing this, namely:
Differing retention: If some special events need to be kept indefinitely, but the index where they are initially captured rolls off after some period of time, they can be captured into a summary index
Enrichment: Sometimes the enrichment of data is too expensive to happen with every query, or it is important to capture events with the values from a lookup as the values existed at a particular point in time
The process is essentially the same as creating any summary index events. Follow these steps:
Create a populating query.
Add interesting fields using the
fieldscommand.Add a
search_namefield to the search definition.Include
_time, but rename_rawtoraw.
Let's capture all errors that mary sees, enriched with some extra data. First, create the query:
sourcetype=impl_splunk_gen mary error | eval raw=_raw | table _time raw department city
Save...
