Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I change the sourcetype after the data has been indexed?

slin
Splunk Employee
Splunk Employee
‎06-11-2013 04:03 PM

I just installed Splunk for the first time. After some trial and error I uploaded a file but later I found that I need to change the sourcetype. Is there a way to do that?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

ChrisG
Splunk Employee
Splunk Employee
‎06-11-2013 04:21 PM

You cannot change the source type after your data has been indexed. You will have to delete it and reindex. See this previous Answers posting or this one for methods and alternatives.

View solution in original post

Reply
Solved! Jump to solution

markwymer
Path Finder
‎08-22-2016 06:01 AM

Sorry to resurrect an old post but I'm hoping that my comment/query will prompt an expert to advise me on the same subject rather than reasking the same question in a new post.

Would it not be possible, disk space permitting, to read the data from the original source and re-index it to a new index?

I.e.

index=original_index sourcetype=original_sourcetype host=xyz | collect index=new_index sourcetype=new_sourcetype host=xyz

Would this preserve the initial meta data whilst changing the sourcetype?

Thanks,
Mark

Reply
Solved! Jump to solution

kmuellercm
Explorer
‎09-13-2019 06:42 AM

This changes the sourcetype to 'stash' and is not configurable, just in case anyone finds this answer and thinks it's a work-around 🙂

0 Karma
Reply
Solved! Jump to solution

johnansett
Communicator
‎02-09-2022 03:07 PM

Not true - it is configurable.  Be aware tho changing the sourcetype using collect will be metered on ingestion licenses.

0 Karma
Reply
Solved! Jump to solution

amaynardclarku
Engager
‎01-23-2018 05:56 AM

Just what I was looking for. thanks

0 Karma
Reply
Solved! Jump to solution

jonwatson
Engager
‎04-13-2017 01:51 PM

Yes. That worked perfectly. Thank you.

I'd give points, but I have none to give.

0 Karma
Reply
Solved! Jump to solution

tmuthuk
Path Finder
‎06-11-2013 04:26 PM

You cannot change the source type once the data has been indexed

Reply
Solved! Jump to solution
Solution

ChrisG
Splunk Employee
Splunk Employee
‎06-11-2013 04:21 PM

You cannot change the source type after your data has been indexed. You will have to delete it and reindex. See this previous Answers posting or this one for methods and alternatives.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...