Solved: Editing an existing data input creates new item

adrianp · ‎10-30-2013

When I try to edit an existing data input, it's creating a new one. Shouldn't it just update it?

Ayn · ‎10-30-2013

No, Splunk is a time-series database - it will read events and assign a timestamp to them once. Events that are indexed will not be modified - if you make changes to existing data that Splunk has already indexed, Splunk will interpret that as that the whole file has changed and its contents needs to be reindexed.

View solution in original post

Ayn · ‎10-30-2013

No, Splunk is a time-series database - it will read events and assign a timestamp to them once. Events that are indexed will not be modified - if you make changes to existing data that Splunk has already indexed, Splunk will interpret that as that the whole file has changed and its contents needs to be reindexed.

Ayn · ‎11-01-2013

Sorry, I obviously misunderstood what you meant. I don't have a good answer for the issue you're having, sorry.

adrianp · ‎10-30-2013

http://MYSERVER:8000/en-US/manager/launcher/data/inputs/udp

adrianp · ‎10-30-2013

Um, I don't follow. I'm talking about where you edit Data Inputs and select, File, Events Log, syslog, etc... When I click on one that I created (to edit it because I made a mistake), after I hit save, instead of updating the one I was editing, it just creates a new item.

Editing an existing data input creates new item

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Join the Conversation