Solved: Re: Editing an existing data input creates new ite...

adrianp · ‎10-30-2013

When I try to edit an existing data input, it's creating a new one. Shouldn't it just update it?

Ayn · ‎10-30-2013

No, Splunk is a time-series database - it will read events and assign a timestamp to them once. Events that are indexed will not be modified - if you make changes to existing data that Splunk has already indexed, Splunk will interpret that as that the whole file has changed and its contents needs to be reindexed.

View solution in original post

Ayn · ‎10-30-2013

No, Splunk is a time-series database - it will read events and assign a timestamp to them once. Events that are indexed will not be modified - if you make changes to existing data that Splunk has already indexed, Splunk will interpret that as that the whole file has changed and its contents needs to be reindexed.

Ayn · ‎11-01-2013

Sorry, I obviously misunderstood what you meant. I don't have a good answer for the issue you're having, sorry.

adrianp · ‎10-30-2013

http://MYSERVER:8000/en-US/manager/launcher/data/inputs/udp

adrianp · ‎10-30-2013

Um, I don't follow. I'm talking about where you edit Data Inputs and select, File, Events Log, syslog, etc... When I click on one that I created (to edit it because I made a mistake), after I hit save, instead of updating the one I was editing, it just creates a new item.

Editing an existing data input creates new item

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM