https://community.splunk.com/t5/Splunk-Search/SPLUNK-update-existing-events/m-p/111265#M183627 <P>Hi Experts,</P> <P>I have a case like below:</P> <P>I have events with <CODE>order_id, order_status, ord_creation_date</CODE> being indexed for almost 2 months before the user asked me to add more columns to be displayed; <CODE>ord_completed_date, created_by</CODE>.</P> <P>So I add the extra columns easily but leaving the 2 months data without any value of the new columns. As I understand in any DB stacks we can do UPDATE statement to fill the new column with values, how can I do the same in SPLUNK?</P> Thu, 09 Jul 2015 11:07:12 GMT imanpoeiri 2015-07-09T11:07:12Z https://community.splunk.com/t5/Splunk-Search/SPLUNK-update-existing-events/m-p/111265#M183627 <P>Hi Experts,</P> <P>I have a case like below:</P> <P>I have events with <CODE>order_id, order_status, ord_creation_date</CODE> being indexed for almost 2 months before the user asked me to add more columns to be displayed; <CODE>ord_completed_date, created_by</CODE>.</P> <P>So I add the extra columns easily but leaving the 2 months data without any value of the new columns. As I understand in any DB stacks we can do UPDATE statement to fill the new column with values, how can I do the same in SPLUNK?</P> Thu, 09 Jul 2015 11:07:12 GMT https://community.splunk.com/t5/Splunk-Search/SPLUNK-update-existing-events/m-p/111265#M183627 imanpoeiri 2015-07-09T11:07:12Z https://community.splunk.com/t5/Splunk-Search/SPLUNK-update-existing-events/m-p/111266#M183628 <P>Once data has been indexed (or consumed) by Splunk, you cannot change it. If you have the data, you could do an export all of the data, add the columns in vi/notepad/excel/whatever, and re-index the data. Splunk is a NOSQL "database", so there isn't any update you can perform on the already indexed data.</P> Thu, 09 Jul 2015 11:46:48 GMT https://community.splunk.com/t5/Splunk-Search/SPLUNK-update-existing-events/m-p/111266#M183628 alacercogitatus 2015-07-09T11:46:48Z https://community.splunk.com/t5/Splunk-Search/SPLUNK-update-existing-events/m-p/111267#M183629 <P>Splunk is not a database. You can't update events in Splunk. The only change you can make is to mark events for deletion.</P> <P>However, if you still have the original data from the past 2 months, you can delete the existing events and re-index them to include the new fields.</P> Thu, 09 Jul 2015 11:51:04 GMT https://community.splunk.com/t5/Splunk-Search/SPLUNK-update-existing-events/m-p/111267#M183629 richgalloway 2015-07-09T11:51:04Z https://community.splunk.com/t5/Splunk-Search/SPLUNK-update-existing-events/m-p/111268#M183630 <P>Hi @alacercogitatus,</P> <P>Now the other problem is, the estimated file size for the 2 months data is around 2GB. Would you have any suggestion what tools I can use to perform bulk updates?</P> Fri, 10 Jul 2015 03:06:54 GMT https://community.splunk.com/t5/Splunk-Search/SPLUNK-update-existing-events/m-p/111268#M183630 imanpoeiri 2015-07-10T03:06:54Z https://community.splunk.com/t5/Splunk-Search/SPLUNK-update-existing-events/m-p/111269#M183631 <P>I can get from your statement that onces data is indexed we cant update it. What if i can enter a new row with the updated data and then can display latest data in splunk form? just wanted to understand how can we do that dynamically from splunk form</P> Wed, 17 May 2017 07:04:22 GMT https://community.splunk.com/t5/Splunk-Search/SPLUNK-update-existing-events/m-p/111269#M183631 vikashperiwal 2017-05-17T07:04:22Z https://community.splunk.com/t5/Splunk-Search/SPLUNK-update-existing-events/m-p/111270#M183632 <P>and to add to prev comment i will need the historic data aswell ..so i cant delete the prev data</P> Wed, 17 May 2017 07:05:02 GMT https://community.splunk.com/t5/Splunk-Search/SPLUNK-update-existing-events/m-p/111270#M183632 vikashperiwal 2017-05-17T07:05:02Z