Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I apply a new linemerge rule to historical data?

stevennoble
Explorer
‎11-08-2013 02:29 PM

I'm trying to add a new linemerge rule to my props.conf. I'm currently putting it in etc/system/local/props.conf but I realize this won't work if linemerge happens at index time. Does it happen at index time or at search time? If it happens at index time can I re-index my old data without re-referencing the original logs?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-08-2013 02:45 PM

Parsing line-breaks (the LINEMERGE setting) does happen at index time. You are right, your changes will not affect historical data.

You might be able to recreate the data without re-referencing the original logs. BUT the only solution still requires re-indexing - so if you are trying to avoid re-indexing, I can't help.

Step 1 - test your new props.conf on a sample of the data - place the data in a test instance of Splunk or in a test index. Once tested, make sure that your updated props.conf is in place in your production environment.

Step 2 - If you have the original logs, locate them and copy them to some staging area that is accessible. If you DON'T have the original logs, you can search Splunk for the data and export it. Be sure to export _raw. Again, place this data in some staging area. You may need to play withe exported data to get it into the format that you want.

Step 3 - CAREFULLY delete the existing data from the Splunk indexes. Use the delete command.

Step 4 - Using upload (batch input, not monitor input), reload all the old data into Splunk. Make sure that you assign the sourcetype properly, so that the rules in your props.conf are properly applied. You might get a Splunk license violation, depending on your licensing volume - BUT if this is a one-off, it's okay. Remember that it takes 5 license violations in Splunk Enterprise for Splunk to lock-up.

HTH

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-08-2013 02:45 PM

Parsing line-breaks (the LINEMERGE setting) does happen at index time. You are right, your changes will not affect historical data.

You might be able to recreate the data without re-referencing the original logs. BUT the only solution still requires re-indexing - so if you are trying to avoid re-indexing, I can't help.

Step 1 - test your new props.conf on a sample of the data - place the data in a test instance of Splunk or in a test index. Once tested, make sure that your updated props.conf is in place in your production environment.

Step 2 - If you have the original logs, locate them and copy them to some staging area that is accessible. If you DON'T have the original logs, you can search Splunk for the data and export it. Be sure to export _raw. Again, place this data in some staging area. You may need to play withe exported data to get it into the format that you want.

Step 3 - CAREFULLY delete the existing data from the Splunk indexes. Use the delete command.

Step 4 - Using upload (batch input, not monitor input), reload all the old data into Splunk. Make sure that you assign the sourcetype properly, so that the rules in your props.conf are properly applied. You might get a Splunk license violation, depending on your licensing volume - BUT if this is a one-off, it's okay. Remember that it takes 5 license violations in Splunk Enterprise for Splunk to lock-up.

HTH

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...