https://community.splunk.com/t5/Getting-Data-In/Move-logs-to-another-Index/m-p/13331#M1178 <P>Yes. This can be done, the question is how badly do you need to move the data. As of Splunk 4.x, you can search multiple indexes at once, so this is often not a big deal. If however, you cannot find a way around moving your events from one index to another, than the following may be of help:</P> <P>Events can be exported and imported using <CODE>exporttool</CODE> and <CODE>importtool</CODE>. Which is one way of moving events from one index to another, but this can be a fairly daunting task. Especially if you are trying to move a source or sourcetype that splunk has been indexing for a long period of time. </P> <P>Essentially, these tools can be used to import and export the content of a bucket using a simple CSV file format. You can export the content of one bucket (from you existing index) and then import those events into a bucket (in your desired index). If your source/sourctype to be moved exists across multiple buckets in your source index, then you will have to deal with each bucket individually. (This is where it starts to get really ugly, time-consuming, and potentially dangerous to your data if you screw up...)</P> <P>If you are looking to only move a few sources/sourcetypes, then you may be able to do so by simply indicating the source/sourcetype when calling <CODE>exporttool</CODE>, otherwise you may need to export all the events (using <CODE>meta::all</CODE>) and write a small CSV-processing script/utility of some kind to sift out the events you want to migrate to a different index.</P> <P>For example, if you are trying to move the sourcetype <CODE>WinEventLog:Application</CODE> from the <CODE>main</CODE> (<CODE>default</CODE>) index to the <CODE>os</CODE> index, something like this could get you started:</P> <BLOCKQUOTE> <P><CODE>splunk cmd exporttool defaultdb/db_1262807912_1262278800_6 /dev/stdout -csv sourcetype::WinEventLog:Application | splunk cmd importtool os/db_temp /dev/stdin</CODE></P> </BLOCKQUOTE> <P>Of course at this point we have only copied the events. You still have to remove the events from the source bucket. After that, you would need to remove the events from your default index, and rename the <CODE>db_temp</CODE> bucket with an appropriate name (see the script on the wiki page linked below)</P> <P>You may find some additional information here:</P> <UL> <LI><A href="http://www.splunk.com/wiki/Community:Modifying_indexed_data_via_export_and_import" rel="nofollow">http://www.splunk.com/wiki/Community:Modifying_indexed_data_via_export_and_import</A></LI> </UL> <P></P><HR /><P></P> <P><STRONG>Update:</STRONG> As of Splunk 4.1.4(ish) the <CODE>meta::all</CODE> is not longer recognized by the <CODE>exporttool</CODE> command. Simply omitting that option should result in all events being exported.</P> Thu, 13 May 2010 20:42:43 GMT Lowell 2010-05-13T20:42:43Z https://community.splunk.com/t5/Getting-Data-In/Move-logs-to-another-Index/m-p/13329#M1176 <P>Is there any way to move log data to another index after it has already been indexed?</P> <P>Example.. </P> <P>Windows logs were indexed into the main(default) index. I would like to move the data from that one host into another index.</P> <P>Running Splunk 4.0.11</P> Wed, 12 May 2010 21:54:39 GMT https://community.splunk.com/t5/Getting-Data-In/Move-logs-to-another-Index/m-p/13329#M1176 JHill 2010-05-12T21:54:39Z https://community.splunk.com/t5/Getting-Data-In/Move-logs-to-another-Index/m-p/13330#M1177 <P>After data has been stored in an index, it can't be moved. It can be deleted using the delete operator and then you could reload it into the proper index. (If it came from a flat-file or other simple reloadable source). </P> Thu, 13 May 2010 04:56:07 GMT https://community.splunk.com/t5/Getting-Data-In/Move-logs-to-another-Index/m-p/13330#M1177 dwaddle 2010-05-13T04:56:07Z https://community.splunk.com/t5/Getting-Data-In/Move-logs-to-another-Index/m-p/13331#M1178 <P>Yes. This can be done, the question is how badly do you need to move the data. As of Splunk 4.x, you can search multiple indexes at once, so this is often not a big deal. If however, you cannot find a way around moving your events from one index to another, than the following may be of help:</P> <P>Events can be exported and imported using <CODE>exporttool</CODE> and <CODE>importtool</CODE>. Which is one way of moving events from one index to another, but this can be a fairly daunting task. Especially if you are trying to move a source or sourcetype that splunk has been indexing for a long period of time. </P> <P>Essentially, these tools can be used to import and export the content of a bucket using a simple CSV file format. You can export the content of one bucket (from you existing index) and then import those events into a bucket (in your desired index). If your source/sourctype to be moved exists across multiple buckets in your source index, then you will have to deal with each bucket individually. (This is where it starts to get really ugly, time-consuming, and potentially dangerous to your data if you screw up...)</P> <P>If you are looking to only move a few sources/sourcetypes, then you may be able to do so by simply indicating the source/sourcetype when calling <CODE>exporttool</CODE>, otherwise you may need to export all the events (using <CODE>meta::all</CODE>) and write a small CSV-processing script/utility of some kind to sift out the events you want to migrate to a different index.</P> <P>For example, if you are trying to move the sourcetype <CODE>WinEventLog:Application</CODE> from the <CODE>main</CODE> (<CODE>default</CODE>) index to the <CODE>os</CODE> index, something like this could get you started:</P> <BLOCKQUOTE> <P><CODE>splunk cmd exporttool defaultdb/db_1262807912_1262278800_6 /dev/stdout -csv sourcetype::WinEventLog:Application | splunk cmd importtool os/db_temp /dev/stdin</CODE></P> </BLOCKQUOTE> <P>Of course at this point we have only copied the events. You still have to remove the events from the source bucket. After that, you would need to remove the events from your default index, and rename the <CODE>db_temp</CODE> bucket with an appropriate name (see the script on the wiki page linked below)</P> <P>You may find some additional information here:</P> <UL> <LI><A href="http://www.splunk.com/wiki/Community:Modifying_indexed_data_via_export_and_import" rel="nofollow">http://www.splunk.com/wiki/Community:Modifying_indexed_data_via_export_and_import</A></LI> </UL> <P></P><HR /><P></P> <P><STRONG>Update:</STRONG> As of Splunk 4.1.4(ish) the <CODE>meta::all</CODE> is not longer recognized by the <CODE>exporttool</CODE> command. Simply omitting that option should result in all events being exported.</P> Thu, 13 May 2010 20:42:43 GMT https://community.splunk.com/t5/Getting-Data-In/Move-logs-to-another-Index/m-p/13331#M1178 Lowell 2010-05-13T20:42:43Z https://community.splunk.com/t5/Getting-Data-In/Move-logs-to-another-Index/m-p/13332#M1179 <P>Is this still possible in Splunk 5 and 6?</P> Tue, 25 Nov 2014 16:32:16 GMT https://community.splunk.com/t5/Getting-Data-In/Move-logs-to-another-Index/m-p/13332#M1179 peter_krammer 2014-11-25T16:32:16Z