Archive

move some content/source from one index to another index

Path Finder

Hi,
Can we move only selected file content from one index to another index.
I want to move only selected source/content not the ful index data, is it possible?

Thanks~

Tags (2)
1 Solution

Path Finder

You can use the collect command. Construct a search that returns the data you want to port, and pipe to collect.

index=whatever host=whatever source=whatever whatever | collect index=foo

That will port the data into the foo index. However, the sourcetype will be changed to 'stash'.

http://docs.splunk.com/Documentation/Splunk/latest/searchreference/collect

View solution in original post

Path Finder

You can use the collect command. Construct a search that returns the data you want to port, and pipe to collect.

index=whatever host=whatever source=whatever whatever | collect index=foo

That will port the data into the foo index. However, the sourcetype will be changed to 'stash'.

http://docs.splunk.com/Documentation/Splunk/latest/searchreference/collect

View solution in original post

New Member

will it also move raw data ?

0 Karma

Ultra Champion

No - It will copy the data from your source index to the new one specified by the collect command.
It will not remove data from the original index.
You can use (with great care) the |delete command to remove the items from the source DB, but you should be aware that this only prevents the results being returned in search - the events themselves will remain on disk. In many cases this is acceptable, but if your dealing with some sensitive data types, the only way to remove events once indexed is to expire/freeze your index and let Splunk delete the buckets

0 Karma

New Member

Will this move the Raw data from one index to another or just the indexed data?

0 Karma

New Member

seems that the reporting server changes to the Splunk server instead of the server that generated the event...

0 Karma

Explorer

I have run this collect command, and then searched in the index I collected the logs to.... but I do not find the results. Is this still working in 5.0.2?

0 Karma

Path Finder

Happy to help. I should also add, you can do this as well...

|collect index=foo sourcetype=foo

...and that will force your sourcetype too.

Path Finder

Note that changing the sourcetype will (as of 6.x, at least) incur additional licensing impact.

Builder

Thanks buddy...that little pointer helped me with another issue I was facing. Note that src="ipaddr" OR etc can be used as well if your culprit was a syslog with multiples in it....no doubt the manual would have told me that however long I spend in them! 😉

0 Karma

Splunk Employee
Splunk Employee

You can't selectively move data from one index to another easily. You can find the data you'd like to move, and export, you can export the events as raw and then import them into your new index. Once you do that, you can use | delete to mask the events so further searches won't reveal them. However, that space won't be reclaimed within the index.