Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I change the sourcetype after the data has been indexed?

slin
Splunk Employee
Splunk Employee
‎06-11-2013 04:03 PM

I just installed Splunk for the first time. After some trial and error I uploaded a file but later I found that I need to change the sourcetype. Is there a way to do that?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

ChrisG
Splunk Employee
Splunk Employee
‎06-11-2013 04:21 PM

You cannot change the source type after your data has been indexed. You will have to delete it and reindex. See this previous Answers posting or this one for methods and alternatives.

View solution in original post

Reply
Solved! Jump to solution

markwymer
Path Finder
‎08-22-2016 06:01 AM

Sorry to resurrect an old post but I'm hoping that my comment/query will prompt an expert to advise me on the same subject rather than reasking the same question in a new post.

Would it not be possible, disk space permitting, to read the data from the original source and re-index it to a new index?

I.e.

index=original_index sourcetype=original_sourcetype host=xyz | collect index=new_index sourcetype=new_sourcetype host=xyz

Would this preserve the initial meta data whilst changing the sourcetype?

Thanks,
Mark

Reply
Solved! Jump to solution

kmuellercm
Explorer
‎09-13-2019 06:42 AM

This changes the sourcetype to 'stash' and is not configurable, just in case anyone finds this answer and thinks it's a work-around 🙂

0 Karma
Reply
Solved! Jump to solution

johnansett
Communicator
‎02-09-2022 03:07 PM

Not true - it is configurable.  Be aware tho changing the sourcetype using collect will be metered on ingestion licenses.

0 Karma
Reply
Solved! Jump to solution

amaynardclarku
Engager
‎01-23-2018 05:56 AM

Just what I was looking for. thanks

0 Karma
Reply
Solved! Jump to solution

jonwatson
Engager
‎04-13-2017 01:51 PM

Yes. That worked perfectly. Thank you.

I'd give points, but I have none to give.

0 Karma
Reply
Solved! Jump to solution

tmuthuk
Path Finder
‎06-11-2013 04:26 PM

You cannot change the source type once the data has been indexed

Reply
Solved! Jump to solution
Solution

ChrisG
Splunk Employee
Splunk Employee
‎06-11-2013 04:21 PM

You cannot change the source type after your data has been indexed. You will have to delete it and reindex. See this previous Answers posting or this one for methods and alternatives.

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...