topic Re: Change source and sourcetype in Getting Data In

Change source and sourcetype

hartfoml — Tue, 31 Jan 2012 21:11:17 GMT

I have several thousand events that I want to change the source and sourcetype. I started putting them in the index with one source type then realized that it should have been something else.

I want to go back and change the old source type info on the old events so that they have the same sourcetype as the new records.

Anyone know how to do this???

Re: Change source and sourcetype

bojanz — Tue, 31 Jan 2012 21:31:34 GMT

You cannot change it once it has been indexed.

However, what you can do is the following:

1) Export the logs with incorrect sourcetype so you have the raw, original logs:

splunk search "index=myindex sourcetype=wrong_source_type" -maxour 0 > raw.logs

2) Delete the logs with incorrect sourcetype. You have to add the delete role to your account before doing this:

index=myindex sourcetype=wrong_source_type | delete

3) Reindex the raw logs with the correct sourcetype.

Re: Change source and sourcetype

hartfoml — Tue, 31 Jan 2012 22:02:08 GMT

this will probably work for me

If i might, Can I trouble you for the command to reindex the raw.logs file ???

Re: Change source and sourcetype

bojanz — Tue, 31 Jan 2012 22:13:23 GMT

Probably the easiest way is to used the oneshot command:

splunk add oneshot raw.logs -host myhost -index myindex -sourcetype correct_sourcetype

You can use whatever else you want - index through web interface with 4.3, use a monitor stanza on a file ...

Re: Change source and sourcetype

hartfoml — Mon, 28 Sep 2020 10:22:49 GMT

thanks for the help

Here is a good link to this problem

http://splunk-base.splunk.com/answers/22421/how-to-export-large-volume-of-raw-data-out-of-a-index

here is the code I used to copy out the data

./splunk search "index=firewall_juniper" earliest=1/26/2012:0:0:0 latest=02/01/2012:09:08:15 -preview 0 -maxout 0 -output rawdata >../juniper_raw.logs

then I used the same search to delete the records then I did the oneshot on the juniper_raw.logs into the firewall_juniper index with the right host, source and sorcetype info

Re: Change source and sourcetype

alaorath — Mon, 16 Mar 2015 22:53:36 GMT

Came across this post trying to correct sourcetype errors in my instance. there is an error in the accepted answer, the command should be:

splunk search "index=myindex sourcetype=wrong_source_type" -maxout 0 > raw.logs

You can then impart the file with:

splunk add oneshot raw.logs -sourcetype mysourcetype -index myindex -host myhostparam

But be aware that this will set the "source" for that sourcetype to the "raw.logs" location... so make sure you're not using source= in your filters or it will miss those bulk indexed files.

Re: Change source and sourcetype

samcogheil — Sun, 26 Apr 2015 10:27:49 GMT

You can also use 'rename-source' to rename the source. i.e.

splunk add oneshot raw.logs -sourcetype mysourcetype -index myindex -host myhost -rename-source mysource

Re: Change source and sourcetype

Prakash493 — Tue, 09 Jul 2019 15:50:42 GMT

in our clustered environment where we should execute these commands in cluster master or in any indexer.