I have several thousand events that I want to change the source and sourcetype. I started putting them in the index with one source type then realized that it should have been something else.
I want to go back and change the old source type info on the old events so that they have the same sourcetype as the new records.
Anyone know how to do this???
You cannot change it once it has been indexed.
However, what you can do is the following:
1) Export the logs with incorrect sourcetype so you have the raw, original logs:
splunk search "index=myindex sourcetype=wrong_source_type" -maxour 0 > raw.logs
2) Delete the logs with incorrect sourcetype. You have to add the delete role to your account before doing this:
index=myindex sourcetype=wrong_source_type | delete
3) Reindex the raw logs with the correct sourcetype.
You cannot change it once it has been indexed.
However, what you can do is the following:
1) Export the logs with incorrect sourcetype so you have the raw, original logs:
splunk search "index=myindex sourcetype=wrong_source_type" -maxour 0 > raw.logs
2) Delete the logs with incorrect sourcetype. You have to add the delete role to your account before doing this:
index=myindex sourcetype=wrong_source_type | delete
3) Reindex the raw logs with the correct sourcetype.
Came across this post trying to correct sourcetype errors in my instance. there is an error in the accepted answer, the command should be:
splunk search "index=myindex sourcetype=wrong_source_type" -maxout 0 > raw.logs
You can then impart the file with:
splunk add oneshot raw.logs -sourcetype mysourcetype -index myindex -host myhostparam
But be aware that this will set the "source" for that sourcetype to the "raw.logs" location... so make sure you're not using source=
in your filters or it will miss those bulk indexed files.
You can also use 'rename-source' to rename the source. i.e.
splunk add oneshot raw.logs -sourcetype mysourcetype -index myindex -host myhost -rename-source mysource
in our clustered environment where we should execute these commands in cluster master or in any indexer.
thanks for the help
Here is a good link to this problem
http://splunk-base.splunk.com/answers/22421/how-to-export-large-volume-of-raw-data-out-of-a-index
here is the code I used to copy out the data
./splunk search "index=firewall_juniper" earliest=1/26/2012:0:0:0 latest=02/01/2012:09:08:15 -preview 0 -maxout 0 -output rawdata >../juniper_raw.logs
then I used the same search to delete the records then I did the oneshot on the juniper_raw.logs into the firewall_juniper index with the right host, source and sorcetype info
Probably the easiest way is to used the oneshot command:
splunk add oneshot raw.logs -host myhost -index myindex -sourcetype correct_sourcetype
You can use whatever else you want - index through web interface with 4.3, use a monitor stanza on a file ...
this will probably work for me
If i might, Can I trouble you for the command to reindex the raw.logs file ???