How-To Change Indexed Data?

cvajs · ‎04-04-2012

v4.3.1 on sles 11.1

i have some data that was incorrectly indexed, the host name assignment got messed up. is there a way via Splunk gui to change the host name field of the indexed data, if so how? or do i need to use sed via cli?

as example, some data belonging to host=myHost got indexed as host=Mon and now i wish to modify these indexed events so that host=Mon is replaced with host=myHost

khodges_splunk · ‎04-04-2012

You can do event level meta data changes at index time via transforms.conf

http://docs.splunk.com/Documentation/Splunk/4.3.1/Data/Overridedefaulthostassignments

cvajs · ‎04-04-2012

i fixed my indexing issue. i now have metadata tagged as host=Mon when it should be host=myHost, etc.

kristian_kolb · ‎04-04-2012

Exactly, there are 6 things that must be correct at index time, since you more or less can't change them afterwards. They are;

index
host
source
sourcetype
timestamps
linebreaking

Get them wrong, then Drainys answer is the easiest way to go.

/kristian

cvajs · ‎04-04-2012

i cant re-index the data, i'll get same results, reason being is that the raw data format has changed and is defined as sourcetype=syslog, hence it will incorrectly tag some data as host=myHost and some of it as host=Mon. i need a way to edit the metadata, etc. i could re-index if i modified syslog source type, but i would rather not do that, etc.

Drainy · ‎04-04-2012

Alas, once you've indexed metadata like that the best option is to clear the index, clear the fishbucket on any remote forwarder and reindex the data.

How-To Change Indexed Data?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!