topic How-To Change Indexed Data? in Getting Data In

How-To Change Indexed Data?

cvajs — Wed, 04 Apr 2012 16:43:50 GMT

v4.3.1 on sles 11.1

i have some data that was incorrectly indexed, the host name assignment got messed up. is there a way via Splunk gui to change the host name field of the indexed data, if so how? or do i need to use sed via cli?

as example, some data belonging to host=myHost got indexed as host=Mon and now i wish to modify these indexed events so that host=Mon is replaced with host=myHost

Re: How-To Change Indexed Data?

Drainy — Wed, 04 Apr 2012 17:36:11 GMT

Alas, once you've indexed metadata like that the best option is to clear the index, clear the fishbucket on any remote forwarder and reindex the data.

Re: How-To Change Indexed Data?

kristian_kolb — Wed, 04 Apr 2012 17:48:15 GMT

Exactly, there are 6 things that must be correct at index time, since you more or less can't change them afterwards. They are;

index
host
source
sourcetype
timestamps
linebreaking

Get them wrong, then Drainys answer is the easiest way to go.

/kristian

Re: How-To Change Indexed Data?

cvajs — Wed, 04 Apr 2012 18:00:04 GMT

i cant re-index the data, i'll get same results, reason being is that the raw data format has changed and is defined as sourcetype=syslog, hence it will incorrectly tag some data as host=myHost and some of it as host=Mon. i need a way to edit the metadata, etc. i could re-index if i modified syslog source type, but i would rather not do that, etc.

Re: How-To Change Indexed Data?

khodges_splunk — Wed, 04 Apr 2012 18:58:41 GMT

You can do event level meta data changes at index time via transforms.conf

http://docs.splunk.com/Documentation/Splunk/4.3.1/Data/Overridedefaulthostassignments

Re: How-To Change Indexed Data?

cvajs — Wed, 04 Apr 2012 19:07:53 GMT

i fixed my indexing issue. i now have metadata tagged as host=Mon when it should be host=myHost, etc.