Getting Data In

Change source and sourcetype

hartfoml
Motivator

I have several thousand events that I want to change the source and sourcetype. I started putting them in the index with one source type then realized that it should have been something else.

I want to go back and change the old source type info on the old events so that they have the same sourcetype as the new records.

Anyone know how to do this???

Tags (1)
1 Solution

bojanz
Communicator

You cannot change it once it has been indexed.

However, what you can do is the following:

1) Export the logs with incorrect sourcetype so you have the raw, original logs:

splunk search "index=myindex sourcetype=wrong_source_type" -maxour 0 > raw.logs

2) Delete the logs with incorrect sourcetype. You have to add the delete role to your account before doing this:

index=myindex sourcetype=wrong_source_type | delete

3) Reindex the raw logs with the correct sourcetype.

View solution in original post

bojanz
Communicator

You cannot change it once it has been indexed.

However, what you can do is the following:

1) Export the logs with incorrect sourcetype so you have the raw, original logs:

splunk search "index=myindex sourcetype=wrong_source_type" -maxour 0 > raw.logs

2) Delete the logs with incorrect sourcetype. You have to add the delete role to your account before doing this:

index=myindex sourcetype=wrong_source_type | delete

3) Reindex the raw logs with the correct sourcetype.

alaorath
Path Finder

Came across this post trying to correct sourcetype errors in my instance. there is an error in the accepted answer, the command should be:

splunk search "index=myindex sourcetype=wrong_source_type" -maxout 0 > raw.logs

You can then impart the file with:

splunk add oneshot raw.logs -sourcetype mysourcetype -index myindex -host myhostparam

But be aware that this will set the "source" for that sourcetype to the "raw.logs" location... so make sure you're not using source= in your filters or it will miss those bulk indexed files.

0 Karma

samcogheil
Explorer

You can also use 'rename-source' to rename the source. i.e.

splunk add oneshot raw.logs -sourcetype mysourcetype -index myindex -host myhost -rename-source mysource
0 Karma

Prakash493
Communicator

in our clustered environment where we should execute these commands in cluster master or in any indexer.

0 Karma

hartfoml
Motivator

thanks for the help

Here is a good link to this problem

http://splunk-base.splunk.com/answers/22421/how-to-export-large-volume-of-raw-data-out-of-a-index

here is the code I used to copy out the data

./splunk search "index=firewall_juniper" earliest=1/26/2012:0:0:0 latest=02/01/2012:09:08:15 -preview 0 -maxout 0 -output rawdata >../juniper_raw.logs

then I used the same search to delete the records then I did the oneshot on the juniper_raw.logs into the firewall_juniper index with the right host, source and sorcetype info

0 Karma

bojanz
Communicator

Probably the easiest way is to used the oneshot command:

splunk add oneshot raw.logs -host myhost -index myindex -sourcetype correct_sourcetype

You can use whatever else you want - index through web interface with 4.3, use a monitor stanza on a file ...

0 Karma

hartfoml
Motivator

this will probably work for me

If i might, Can I trouble you for the command to reindex the raw.logs file ???

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...