Hi, although I found CSV as very useful way of populating Redis, you can send the Splunk Search results to a pipeline and use the Redis ' set ', 'hset', 'append' on the events

ok i just see in the search collector that requires an output mode. are you saying use the Splunk Search under pull instead?

ah they both have an output mode

exactly. json or csv

ok so it does not matter which one to use before sending to the redis function?

correct. you can do this for exampleany key with the many redis options will do the trick

ok i did a quick test on my search and that worked and it pulled the 2 fields per line that need to be put into Redis. lets say field1 and field 2 are in each data event.How do I add those two fields using one field appended to use as the key?Example:mykeyname:field1valueThe fields and values under this key would be:field1mydata1field2mydata2

Redis is pretty simple. One key, one value. Are the field names static? When you need them on Cribl, will you know their names?

yes

If yes, I'd consider naming the key field1_mykeyname, or the other way round

And then construct a Redis lookup from whatever your value is plus that field name

A solution I just used for exporting a small CSV from Splunk. Export Everything add-on to SFTP CSV for /opt/cribl/state directory. Didn't want to setup Redis...

This is a 34million CSV file, so no thanks. I figured out what I needed to do in the Redis function so all is good!

:nice-intensifies: !!