<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Indexing data in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Indexing-data/m-p/79943#M16446</link>
    <description>&lt;P&gt;If the entire file is being reindexed and you don't want the history could you do something like the following based on your data?&lt;/P&gt;

&lt;P&gt;...your search... | head 1&lt;/P&gt;

&lt;P&gt;This way it gets the most recent file/record&lt;/P&gt;</description>
    <pubDate>Sun, 31 Mar 2013 03:11:12 GMT</pubDate>
    <dc:creator>Runals</dc:creator>
    <dc:date>2013-03-31T03:11:12Z</dc:date>
    <item>
      <title>Indexing data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Indexing-data/m-p/79941#M16444</link>
      <description>&lt;P&gt;Is it possible to have Splunk to index all the data in a file and when the file is changed to remove the currently indexed data in splunk and replacing it with the new data in the file.&lt;BR /&gt;
I do not need the history of the data and am just interested in the current status of the test.&lt;BR /&gt;
The issue is that every time an event is written to a file it is being indexed even though one element has changed.&lt;/P&gt;

&lt;P&gt;ie. &lt;/P&gt;

&lt;P&gt;Original file content&lt;/P&gt;

&lt;P&gt;"test": "A", "status": "Pass"&lt;BR /&gt;
"test": "B", "status": "Pending"&lt;/P&gt;

&lt;P&gt;New file content. Tests B has change from Pending to Failed&lt;/P&gt;

&lt;P&gt;"test": "A", "status": "Pass"&lt;BR /&gt;
"test": "B", "status": "Failed"&lt;/P&gt;</description>
      <pubDate>Sat, 30 Mar 2013 01:18:41 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Indexing-data/m-p/79941#M16444</guid>
      <dc:creator>dgadjov</dc:creator>
      <dc:date>2013-03-30T01:18:41Z</dc:date>
    </item>
    <item>
      <title>Re: Indexing data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Indexing-data/m-p/79942#M16445</link>
      <description>&lt;P&gt;I have a similar use case and there is not a good way to "delete" the data from Splunk. What I have done is treated the entire file as a single event. This means when the file updates, you index the entire file over again... Then, you can use something like:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;index=main sourcetype=foo | stats first(event) as event by host | transform to extract individual events | transaction to group events (if needed)
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Sat, 30 Mar 2013 04:26:00 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Indexing-data/m-p/79942#M16445</guid>
      <dc:creator>ShaneNewman</dc:creator>
      <dc:date>2013-03-30T04:26:00Z</dc:date>
    </item>
    <item>
      <title>Re: Indexing data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Indexing-data/m-p/79943#M16446</link>
      <description>&lt;P&gt;If the entire file is being reindexed and you don't want the history could you do something like the following based on your data?&lt;/P&gt;

&lt;P&gt;...your search... | head 1&lt;/P&gt;

&lt;P&gt;This way it gets the most recent file/record&lt;/P&gt;</description>
      <pubDate>Sun, 31 Mar 2013 03:11:12 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Indexing-data/m-p/79943#M16446</guid>
      <dc:creator>Runals</dc:creator>
      <dc:date>2013-03-31T03:11:12Z</dc:date>
    </item>
  </channel>
</rss>

