https://community.splunk.com/t5/Getting-Data-In/Reindex-Duplicates-Reindex-duplicate-data/m-p/232275#M45274 <P>HI Splunkers,</P> <P>I got a little complicated issue I cannot figure out. </P> <P>Everyday I receive a host file that we index that contains 80% of that data is duplicate from the days before (same timestamp everything). Splunk goes ahead and only indexes the non duplicates, which I would usually appreciate.</P> <P>However, for a specific report I need to find a setting where Splunk overwrites the old events and indexes a duplicate from the latest source.</P> <PRE><CODE>For example: I get event 1111 - timestamp 1-17 on 1/17 in logfile1_17.txt on 1-18 I have the event 1111 - timestamp 1-17 in logfile1_18.txt Now when I look for this event 1111 , I find as source logfile1_17.txt but I would need it indexed again and have source logfile1_18.txt </CODE></PRE> <P>Is there a setting that the event 1111 is shown in splunk with the latest indexed file as source or is indexed again ?</P> <P>Thanks.</P> <P>Oliver</P> Wed, 18 Jan 2017 14:34:30 GMT omuelle1 2017-01-18T14:34:30Z https://community.splunk.com/t5/Getting-Data-In/Reindex-Duplicates-Reindex-duplicate-data/m-p/232275#M45274 <P>HI Splunkers,</P> <P>I got a little complicated issue I cannot figure out. </P> <P>Everyday I receive a host file that we index that contains 80% of that data is duplicate from the days before (same timestamp everything). Splunk goes ahead and only indexes the non duplicates, which I would usually appreciate.</P> <P>However, for a specific report I need to find a setting where Splunk overwrites the old events and indexes a duplicate from the latest source.</P> <PRE><CODE>For example: I get event 1111 - timestamp 1-17 on 1/17 in logfile1_17.txt on 1-18 I have the event 1111 - timestamp 1-17 in logfile1_18.txt Now when I look for this event 1111 , I find as source logfile1_17.txt but I would need it indexed again and have source logfile1_18.txt </CODE></PRE> <P>Is there a setting that the event 1111 is shown in splunk with the latest indexed file as source or is indexed again ?</P> <P>Thanks.</P> <P>Oliver</P> Wed, 18 Jan 2017 14:34:30 GMT https://community.splunk.com/t5/Getting-Data-In/Reindex-Duplicates-Reindex-duplicate-data/m-p/232275#M45274 omuelle1 2017-01-18T14:34:30Z https://community.splunk.com/t5/Getting-Data-In/Reindex-Duplicates-Reindex-duplicate-data/m-p/232276#M45275 <P>If this is the behaviour you want then consider using batch instead of monitor. </P> <PRE><CODE>[batch://&lt;path&gt;] disabled = false move_policy = sinkhole index = yourindex sourcetype = somesourcetype </CODE></PRE> <P>This will index any file put in that directory and delete it once ingested (so keep that in mind that you may lose the file once indexed). However the move_policy set to sinkhole will reindex the same file if put in that folder with different timestamp instead of following the tail. </P> Thu, 19 Jan 2017 04:40:36 GMT https://community.splunk.com/t5/Getting-Data-In/Reindex-Duplicates-Reindex-duplicate-data/m-p/232276#M45275 nabeel652 2017-01-19T04:40:36Z https://community.splunk.com/t5/Getting-Data-In/Reindex-Duplicates-Reindex-duplicate-data/m-p/232277#M45276 <P>Thank you, I went crcSalt = which also seems to reindex duplicates.</P> Thu, 19 Jan 2017 15:30:40 GMT https://community.splunk.com/t5/Getting-Data-In/Reindex-Duplicates-Reindex-duplicate-data/m-p/232277#M45276 omuelle1 2017-01-19T15:30:40Z https://community.splunk.com/t5/Getting-Data-In/Reindex-Duplicates-Reindex-duplicate-data/m-p/232278#M45277 <P>Would this duplicate existing data? Would the summary indices be automatically updated?</P> Tue, 21 Mar 2017 15:46:33 GMT https://community.splunk.com/t5/Getting-Data-In/Reindex-Duplicates-Reindex-duplicate-data/m-p/232278#M45277 gurugv 2017-03-21T15:46:33Z