Dear All,
I am new to Splunk, So while doing changes in input.conf or props.conf etc. the changes are not taking place unless and untill. I reinstall the splunk. Is there any other method ?
Your help is appreciated..
Hello. How about it? (using CLI)
./splunk stop
./splunk clean all -f
./splunk restart
As "rotten" mentioned, once the data has been indexed, it cannot be changed. However, some things are not stored in the index. Those things can be changed as you wish. Below are the basics; look in the documentation for more details.
Changes to inputs.conf change how all new data will be indexed. These changes do not affect data that has already been indexed. If you want these changes to apply to all data, you will need to use the splunk clean command, as was shown in one of the other answers.
Changes to props.conf may change how data is indexed:
Setting the source, sourcetype or host - these affect how the data is indexed. Therefore, this is the same as changes to inputs.conf.
Defining field extractions - field definitions are not indexed; fields are built during the search process. These changes do not require that you restart Splunk. Any changes that you make to field extractions will apply to all data, regardless of when it was indexed. (BTW, you can do "index time field extractions" but don't. Use the normal, search-time field extractions - this is what Splunk recommends.)
If you are new to Splunk, I suggest that you use the web interface (the Splunk Manager) to set up your inputs, and the interactive field extractor to set up your fields. One of the nice things about using the Splunk web interface is that it will tell you if you need to restart Splunk.
Hello. How about it? (using CLI)
./splunk stop
./splunk clean all -f
./splunk restart
Thank you very much
You mean restart, not reinstall, right?
You can pull in changes to props.conf with the not-so-intuitive search command (as admin):
* | extract reload=true
I think you only need to search a short time-window (like 5 minutes) for this to cause props.conf to be reloaded.
Once the data is indexed it is written in stone. Re-reading the props.conf applies to future events.
its short time data like 1 day. But Can splunk changes the data which was already indexed before ?? after changes in props.conf.
For example: Splunk taking some unnesessary field values from csv header. I wanna remove that. I am doing changes in conf files but changes taking place after reinstall the splunk.
Have you tried just restarting splunk?
$SPLUNK_HOME$/bin> splunk resart
yes, tried but not working.
I think the problem is, splunk already index the fields and can not delete the indexed data, if I change somthing input.conf or props.conf