https://community.splunk.com/t5/Getting-Data-In/Splunk-indexed-data/m-p/90465#M97362 <P>United we stand.</P> <P>No updates. </P> <P>You can certainly insert new events and these might have common fields that change in state/value over time.If you think about it, conceptually this is what updating is.And then you can use Splunk searches to search on these fields with the added benefit of the change history of the fields over time to analyse.</P> <P>01/04/2012 12:02:43 somefield=2 anotherfield=true<BR /> 01/04/2012 12:03:32 somefield=6 anotherfield=true<BR /> 01/04/2012 12:04:12 somefield=89 anotherfield=false</P> Tue, 13 Mar 2012 08:05:27 GMT Damien_Dallimor 2012-03-13T08:05:27Z https://community.splunk.com/t5/Getting-Data-In/Splunk-indexed-data/m-p/90460#M97357 <P>Is Splunk's indexed data difficult or nearly impossible to modify?</P> Tue, 13 Mar 2012 06:33:43 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-indexed-data/m-p/90460#M97357 misteryuku 2012-03-13T06:33:43Z https://community.splunk.com/t5/Getting-Data-In/Splunk-indexed-data/m-p/90461#M97358 <P>Yes. Once it's in the index, there are no mechanisms for changing it. You might be able to change data by editing the index file in a hex editor or something similar, but that'll raise other problems - it's certainly not something you should try at home.</P> Tue, 13 Mar 2012 06:44:11 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-indexed-data/m-p/90461#M97358 Ayn 2012-03-13T06:44:11Z https://community.splunk.com/t5/Getting-Data-In/Splunk-indexed-data/m-p/90462#M97359 <P>Sorry about asking almost the same question again. Cos i find it hard to accept the truth. That's why i ask again so hopefully someone else gave me the similar answer as yours or you state your stand strongly.</P> Tue, 13 Mar 2012 06:54:09 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-indexed-data/m-p/90462#M97359 misteryuku 2012-03-13T06:54:09Z https://community.splunk.com/t5/Getting-Data-In/Splunk-indexed-data/m-p/90463#M97360 <P>Heh, well I take a strong stand because there's only one clear answer to your question.</P> <P>Like I said in a comment in another question of yours, what is it you're trying to achieve? I get a feeling you're misunderstanding what a Splunk index is and how it can or can't be used.</P> Tue, 13 Mar 2012 06:56:22 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-indexed-data/m-p/90463#M97360 Ayn 2012-03-13T06:56:22Z https://community.splunk.com/t5/Getting-Data-In/Splunk-indexed-data/m-p/90464#M97361 <P>I don't know why it's so hard to accept. It was never designed for modifications, and there are no API or internal ways to change data (other than delete entire indexes/files).</P> Tue, 13 Mar 2012 07:50:16 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-indexed-data/m-p/90464#M97361 gkanapathy 2012-03-13T07:50:16Z https://community.splunk.com/t5/Getting-Data-In/Splunk-indexed-data/m-p/90465#M97362 <P>United we stand.</P> <P>No updates. </P> <P>You can certainly insert new events and these might have common fields that change in state/value over time.If you think about it, conceptually this is what updating is.And then you can use Splunk searches to search on these fields with the added benefit of the change history of the fields over time to analyse.</P> <P>01/04/2012 12:02:43 somefield=2 anotherfield=true<BR /> 01/04/2012 12:03:32 somefield=6 anotherfield=true<BR /> 01/04/2012 12:04:12 somefield=89 anotherfield=false</P> Tue, 13 Mar 2012 08:05:27 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-indexed-data/m-p/90465#M97362 Damien_Dallimor 2012-03-13T08:05:27Z https://community.splunk.com/t5/Getting-Data-In/Splunk-indexed-data/m-p/90466#M97363 <P>so the update occurs automatically?</P> Tue, 13 Mar 2012 08:10:37 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-indexed-data/m-p/90466#M97363 misteryuku 2012-03-13T08:10:37Z https://community.splunk.com/t5/Getting-Data-In/Splunk-indexed-data/m-p/90467#M97364 <P>I suggest you visit the #splunk IRC channel. This is beginning to look like a chat session.</P> <P><A href="http://www.splunk.com/view/SP-CAAACDF">http://www.splunk.com/view/SP-CAAACDF</A></P> Tue, 13 Mar 2012 08:11:45 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-indexed-data/m-p/90467#M97364 Ayn 2012-03-13T08:11:45Z