Solved: Change source name for exisiting data.

Mr_Robaloba · ‎03-09-2011

I tried out the option "source name override" when setting up a UDP data input to replace "UDP:514" with "mynetworkSyslogs".

After making this change, can I permanently change the source name of exisiting data from this input to match the change?

I have tried doing: source="udp:514" | replace "udp:514" with "mynetworkSyslogs" in the search bar but this does not seem to make a permanent change.

wollinet · ‎03-09-2011

You can't modify existing meta data. You have to re-index the old data.

View solution in original post

wollinet · ‎03-09-2011

You can't modify existing meta data. You have to re-index the old data.

wollinet · ‎03-23-2011

You have to re-feed the log files. With 4.2 I think there're some new features for re-indexing. But I haven't checked them yet.

Mr_Robaloba · ‎03-23-2011

Thanks,
Though this seems to be a quite a limitation in Splunk.

I have been unable to locate any clear information on how to re-index my data. How do I do this?

Change source name for exisiting data.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation