Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I change the sourcetype after the data has been indexed?

slin
Splunk Employee
Splunk Employee
‎06-11-2013 04:03 PM

I just installed Splunk for the first time. After some trial and error I uploaded a file but later I found that I need to change the sourcetype. Is there a way to do that?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

ChrisG
Splunk Employee
Splunk Employee
‎06-11-2013 04:21 PM

You cannot change the source type after your data has been indexed. You will have to delete it and reindex. See this previous Answers posting or this one for methods and alternatives.

View solution in original post

Reply
Solved! Jump to solution

markwymer
Path Finder
‎08-22-2016 06:01 AM

Sorry to resurrect an old post but I'm hoping that my comment/query will prompt an expert to advise me on the same subject rather than reasking the same question in a new post.

Would it not be possible, disk space permitting, to read the data from the original source and re-index it to a new index?

I.e.

index=original_index sourcetype=original_sourcetype host=xyz | collect index=new_index sourcetype=new_sourcetype host=xyz

Would this preserve the initial meta data whilst changing the sourcetype?

Thanks,
Mark

Reply
Solved! Jump to solution

kmuellercm
Explorer
‎09-13-2019 06:42 AM

This changes the sourcetype to 'stash' and is not configurable, just in case anyone finds this answer and thinks it's a work-around 🙂

0 Karma
Reply
Solved! Jump to solution

johnansett
Communicator
‎02-09-2022 03:07 PM

Not true - it is configurable.  Be aware tho changing the sourcetype using collect will be metered on ingestion licenses.

0 Karma
Reply
Solved! Jump to solution

amaynardclarku
Engager
‎01-23-2018 05:56 AM

Just what I was looking for. thanks

0 Karma
Reply
Solved! Jump to solution

jonwatson
Engager
‎04-13-2017 01:51 PM

Yes. That worked perfectly. Thank you.

I'd give points, but I have none to give.

0 Karma
Reply
Solved! Jump to solution

tmuthuk
Path Finder
‎06-11-2013 04:26 PM

You cannot change the source type once the data has been indexed

Reply
Solved! Jump to solution
Solution

ChrisG
Splunk Employee
Splunk Employee
‎06-11-2013 04:21 PM

You cannot change the source type after your data has been indexed. You will have to delete it and reindex. See this previous Answers posting or this one for methods and alternatives.

Reply
Get Updates on the Splunk Community!

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top