Hi.
I have a huge number of requests getting logged & as part of our index queries, we need to do a external script lookup, basically from IP to (geo info) or others, Since the lookup script is invoked every time, its really inefficient. Instead I am trying to go through all the events using the splunk sdk & then going ahead with transform, caching it and making it efficient. My Question is that.
- Instead of writing the stream to a new index I just want to append the transformed field to the current event record.
- is it possible ?
- do you guys think is not a good idea, and leave the raw base events as it is.
$service->login();
$search = 'search earliest=-30d index=main sourcetype="csv-2" | bucket _time span=1m | stats count(ip) by ip,_time | sort _time';$job = $service->getJobs()->create($search);
while (!$job->isDone()) {
print $job->getProgress();
$job->refresh();
}
$results = $job->getResults();
$i_param = array();
$i_param["index"] = "other";
$i_param["source"] = "csv-2";
$i_param["sourcetype"] = "job5";
$recv = $service->getReceiver();
$stream = $recv->attach($i_param);
// go through the $results & apply transform //
// write a separate events to fwrite on $stream now to new index //
// How to append to existing record ? is it possible ?
// $r = fwrite($stream, $ostr);