Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How-To Change Indexed Data?

cvajs
Contributor
‎04-04-2012 09:43 AM

v4.3.1 on sles 11.1

i have some data that was incorrectly indexed, the host name assignment got messed up. is there a way via Splunk gui to change the host name field of the indexed data, if so how? or do i need to use sed via cli?

as example, some data belonging to host=myHost got indexed as host=Mon and now i wish to modify these indexed events so that host=Mon is replaced with host=myHost

Tags (3)
Reply

khodges_splunk
Splunk Employee
Splunk Employee
‎04-04-2012 11:58 AM

You can do event level meta data changes at index time via transforms.conf

http://docs.splunk.com/Documentation/Splunk/4.3.1/Data/Overridedefaulthostassignments

Reply

cvajs
Contributor
‎04-04-2012 12:07 PM

i fixed my indexing issue. i now have metadata tagged as host=Mon when it should be host=myHost, etc.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-04-2012 10:48 AM

Exactly, there are 6 things that must be correct at index time, since you more or less can't change them afterwards. They are;

index
host
source
sourcetype
timestamps
linebreaking

Get them wrong, then Drainys answer is the easiest way to go.

/kristian

Reply

cvajs
Contributor
‎04-04-2012 11:00 AM

i cant re-index the data, i'll get same results, reason being is that the raw data format has changed and is defined as sourcetype=syslog, hence it will incorrectly tag some data as host=myHost and some of it as host=Mon. i need a way to edit the metadata, etc. i could re-index if i modified syslog source type, but i would rather not do that, etc.

0 Karma
Reply

Drainy
Champion
‎04-04-2012 10:36 AM

Alas, once you've indexed metadata like that the best option is to clear the index, clear the fishbucket on any remote forwarder and reindex the data.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...