topic Re: move some content/source from one index to another index in Splunk Search

move some content/source from one index to another index

sushildabare — Wed, 23 Nov 2011 17:01:39 GMT

Hi,
Can we move only selected file content from one index to another index.
I want to move only selected source/content not the ful index data, is it possible?

Thanks~

Re: move some content/source from one index to another index

jbsplunk — Wed, 23 Nov 2011 18:31:13 GMT

You can't selectively move data from one index to another easily. You can find the data you'd like to move, and export, you can export the events as raw and then import them into your new index. Once you do that, you can use | delete to mask the events so further searches won't reveal them. However, that space won't be reclaimed within the index.

Re: move some content/source from one index to another index

rgonzale6 — Wed, 23 Nov 2011 19:17:37 GMT

You can use the collect command. Construct a search that returns the data you want to port, and pipe to collect.

index=whatever host=whatever source=whatever whatever | collect index=foo

That will port the data into the foo index. However, the sourcetype will be changed to 'stash'.

http://docs.splunk.com/Documentation/Splunk/latest/searchreference/collect

Re: move some content/source from one index to another index

DaveSavage — Thu, 27 Sep 2012 13:51:29 GMT

Thanks buddy...that little pointer helped me with another issue I was facing. Note that src="ipaddr" OR etc can be used as well if your culprit was a syslog with multiples in it....no doubt the manual would have told me that however long I spend in them! 😉

Re: move some content/source from one index to another index

rgonzale6 — Thu, 27 Sep 2012 15:13:18 GMT

Happy to help. I should also add, you can do this as well...

|collect index=foo sourcetype=foo

...and that will force your sourcetype too.

Re: move some content/source from one index to another index

casspugh — Mon, 18 Feb 2013 17:22:09 GMT

I have run this collect command, and then searched in the index I collected the logs to.... but I do not find the results. Is this still working in 5.0.2?

Re: move some content/source from one index to another index

mornawka — Tue, 26 Jan 2016 16:46:01 GMT

seems that the reporting server changes to the Splunk server instead of the server that generated the event...

Re: move some content/source from one index to another index

davidatpinger — Wed, 30 Nov 2016 23:16:30 GMT

Note that changing the sourcetype will (as of 6.x, at least) incur additional licensing impact.

Re: move some content/source from one index to another index

GSolasa — Fri, 20 Oct 2017 19:11:09 GMT

Will this move the Raw data from one index to another or just the indexed data?

Re: move some content/source from one index to another index

GSolasa — Fri, 20 Oct 2017 20:43:22 GMT

will it also move raw data ?

Re: move some content/source from one index to another index

nickhills — Mon, 04 Dec 2017 08:59:09 GMT

No - It will copy the data from your source index to the new one specified by the collect command.
It will not remove data from the original index.
You can use (with great care) the |delete command to remove the items from the source DB, but you should be aware that this only prevents the results being returned in search - the events themselves will remain on disk. In many cases this is acceptable, but if your dealing with some sensitive data types, the only way to remove events once indexed is to expire/freeze your index and let Splunk delete the buckets