https://community.splunk.com/t5/Getting-Data-In/Modify-json-structure-for-sourcetype-that-has-indexed/m-p/429079#M75191 <P>We have a single Splunk instance with custom scripted input that pulls down json, and has indexed extractions.</P> <P>New fields were added to the json that aren't getting extracted. We want to be able to remove the known headers that Splunk knows of (what fields to extract), so that it can start over and pick up newly added fields. Is there any method of doing this? </P> <P>Are our only options: 1) change sourcetype or 2) use search time extractions?</P> Mon, 29 Apr 2019 16:14:49 GMT hortonew 2019-04-29T16:14:49Z https://community.splunk.com/t5/Getting-Data-In/Modify-json-structure-for-sourcetype-that-has-indexed/m-p/429079#M75191 <P>We have a single Splunk instance with custom scripted input that pulls down json, and has indexed extractions.</P> <P>New fields were added to the json that aren't getting extracted. We want to be able to remove the known headers that Splunk knows of (what fields to extract), so that it can start over and pick up newly added fields. Is there any method of doing this? </P> <P>Are our only options: 1) change sourcetype or 2) use search time extractions?</P> Mon, 29 Apr 2019 16:14:49 GMT https://community.splunk.com/t5/Getting-Data-In/Modify-json-structure-for-sourcetype-that-has-indexed/m-p/429079#M75191 hortonew 2019-04-29T16:14:49Z https://community.splunk.com/t5/Getting-Data-In/Modify-json-structure-for-sourcetype-that-has-indexed/m-p/429080#M75192 <P>All I can find in the docs is:</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileswithstructureddata">https://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileswithstructureddata</A><BR /> No support for mid-file renaming of header fields<BR /> Some software, such as Internet Information Server, supports the renaming of header fields in the middle of the file. Splunk software does not recognize changes such as this. If you attempt to index a file that has header fields renamed within the file, the renamed header field is not indexed.</P> Mon, 29 Apr 2019 16:20:39 GMT https://community.splunk.com/t5/Getting-Data-In/Modify-json-structure-for-sourcetype-that-has-indexed/m-p/429080#M75192 hortonew 2019-04-29T16:20:39Z https://community.splunk.com/t5/Getting-Data-In/Modify-json-structure-for-sourcetype-that-has-indexed/m-p/429081#M75193 <P>It does not work like that. Splunk does not cache headers for <CODE>INDEXED_EXTRACTIONS</CODE>. If it seems to be doing so, try deleting the file so that it is rewritten with a fresh header line.</P> Tue, 30 Apr 2019 06:57:47 GMT https://community.splunk.com/t5/Getting-Data-In/Modify-json-structure-for-sourcetype-that-has-indexed/m-p/429081#M75193 woodcock 2019-04-30T06:57:47Z https://community.splunk.com/t5/Getting-Data-In/Modify-json-structure-for-sourcetype-that-has-indexed/m-p/429082#M75194 <P>Which file?</P> Tue, 30 Apr 2019 11:56:20 GMT https://community.splunk.com/t5/Getting-Data-In/Modify-json-structure-for-sourcetype-that-has-indexed/m-p/429082#M75194 hortonew 2019-04-30T11:56:20Z https://community.splunk.com/t5/Getting-Data-In/Modify-json-structure-for-sourcetype-that-has-indexed/m-p/429083#M75195 <P>The file that you are monitoring in your inputs.conf:</P> <PRE><CODE>[monitor:///Your/Path/To/YourFileHere] </CODE></PRE> Wed, 01 May 2019 04:00:16 GMT https://community.splunk.com/t5/Getting-Data-In/Modify-json-structure-for-sourcetype-that-has-indexed/m-p/429083#M75195 woodcock 2019-05-01T04:00:16Z