Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I change the sourcetype after the data has been indexed?

slin
Splunk Employee
Splunk Employee
‎06-11-2013 04:03 PM

I just installed Splunk for the first time. After some trial and error I uploaded a file but later I found that I need to change the sourcetype. Is there a way to do that?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

ChrisG
Splunk Employee
Splunk Employee
‎06-11-2013 04:21 PM

You cannot change the source type after your data has been indexed. You will have to delete it and reindex. See this previous Answers posting or this one for methods and alternatives.

View solution in original post

Reply
Solved! Jump to solution

markwymer
Path Finder
‎08-22-2016 06:01 AM

Sorry to resurrect an old post but I'm hoping that my comment/query will prompt an expert to advise me on the same subject rather than reasking the same question in a new post.

Would it not be possible, disk space permitting, to read the data from the original source and re-index it to a new index?

I.e.

index=original_index sourcetype=original_sourcetype host=xyz | collect index=new_index sourcetype=new_sourcetype host=xyz

Would this preserve the initial meta data whilst changing the sourcetype?

Thanks,
Mark

Reply
Solved! Jump to solution

kmuellercm
Explorer
‎09-13-2019 06:42 AM

This changes the sourcetype to 'stash' and is not configurable, just in case anyone finds this answer and thinks it's a work-around 🙂

0 Karma
Reply
Solved! Jump to solution

johnansett
Communicator
‎02-09-2022 03:07 PM

Not true - it is configurable.  Be aware tho changing the sourcetype using collect will be metered on ingestion licenses.

0 Karma
Reply
Solved! Jump to solution

amaynardclarku
Engager
‎01-23-2018 05:56 AM

Just what I was looking for. thanks

0 Karma
Reply
Solved! Jump to solution

jonwatson
Engager
‎04-13-2017 01:51 PM

Yes. That worked perfectly. Thank you.

I'd give points, but I have none to give.

0 Karma
Reply
Solved! Jump to solution

tmuthuk
Path Finder
‎06-11-2013 04:26 PM

You cannot change the source type once the data has been indexed

Reply
Solved! Jump to solution
Solution

ChrisG
Splunk Employee
Splunk Employee
‎06-11-2013 04:21 PM

You cannot change the source type after your data has been indexed. You will have to delete it and reindex. See this previous Answers posting or this one for methods and alternatives.

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...