https://community.splunk.com/t5/Splunk-Search/How-to-get-Splunk-to-replace-events-containing-quot-abc-quot/m-p/117894#M31407 <P>While continually indexing data from a file or directory, when I made some changes in file for eg. modified a single line having "abc" to "xyz", at that time, the entire file is indexed and I get the duplicate events of the entire file. I want Splunk to replace events that contain "abc" with "xyz" without duplicating other events.</P> Tue, 09 Sep 2014 19:45:18 GMT jagdish007 2014-09-09T19:45:18Z https://community.splunk.com/t5/Splunk-Search/How-to-get-Splunk-to-replace-events-containing-quot-abc-quot/m-p/117894#M31407 <P>While continually indexing data from a file or directory, when I made some changes in file for eg. modified a single line having "abc" to "xyz", at that time, the entire file is indexed and I get the duplicate events of the entire file. I want Splunk to replace events that contain "abc" with "xyz" without duplicating other events.</P> Tue, 09 Sep 2014 19:45:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-Splunk-to-replace-events-containing-quot-abc-quot/m-p/117894#M31407 jagdish007 2014-09-09T19:45:18Z https://community.splunk.com/t5/Splunk-Search/How-to-get-Splunk-to-replace-events-containing-quot-abc-quot/m-p/117895#M31408 <P>Splunk does not keep track of every line it has ever read. And you can't modify records in Splunk like you can in a "normal" DB. Splunk works with checksums on files by default the first 256 and the last 256 bytes are used for the checksum (plus a pointer up to where a file was read). If the checksums do not match Splunk thinks it's a file it has never seen before and it will read it again. </P> <P>Why are you changeing "abc" to "xyz" in your file? Maybe someone can tell you how to solve the problem with Splunk. Or maybe Splunk is not the right tool for you.</P> <P>Regards <BR /> Chris</P> Tue, 09 Sep 2014 20:14:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-Splunk-to-replace-events-containing-quot-abc-quot/m-p/117895#M31408 chris 2014-09-09T20:14:48Z https://community.splunk.com/t5/Splunk-Search/How-to-get-Splunk-to-replace-events-containing-quot-abc-quot/m-p/117896#M31409 <P>If I am continuous monitoring one LogFile which is edited by other application and that application added one more log to that LogFile. So when new log added to that LogFile at that time also entire file get processed?</P> Tue, 09 Sep 2014 20:38:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-Splunk-to-replace-events-containing-quot-abc-quot/m-p/117896#M31409 jagdish007 2014-09-09T20:38:43Z https://community.splunk.com/t5/Splunk-Search/How-to-get-Splunk-to-replace-events-containing-quot-abc-quot/m-p/117897#M31410 <P>No it will not reprocess the entire file. Splunk will know up to which point the file has been read and it will just read what is new. It nows that the first part of the file has ben read beacause of the checksums.</P> Tue, 09 Sep 2014 21:06:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-Splunk-to-replace-events-containing-quot-abc-quot/m-p/117897#M31410 chris 2014-09-09T21:06:52Z https://community.splunk.com/t5/Splunk-Search/How-to-get-Splunk-to-replace-events-containing-quot-abc-quot/m-p/117898#M31411 <P>Thanx...Your answer helps me...</P> Wed, 10 Sep 2014 11:21:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-Splunk-to-replace-events-containing-quot-abc-quot/m-p/117898#M31411 jagdish007 2014-09-10T11:21:38Z