How to change the index for a certain sourcetype?

vkakani60 · ‎07-07-2016

I have an index called high with sourcetype logs

logs sourcetype is continuously indexing logs under \logs dir.

I have decided to create a new index and want to move those logs to that new index called Medium.

I have successfully moved the events to Medium,

index="high" sourcetype=logs | collect index="Medium"

but I can't see the events with the sourcetype

index="Medium" sourcetype=logs 
no events found

index="Medium"

It works and shows all the events, but not real-time logs.
And when new logs were updated under logs sourcetype, Splunk is showing those real-time logs under index high, not under the Medium index.

How to show real-time events under medium index instead of high index with sourcetype logs ?

somesoni2 · ‎07-07-2016

After the collect command, the sourcetype is changed to stash. I don't think this is the right way to move data between indexes.
First, you should modify your data input configurations (inputs.conf) on forwarders/data source to use index=Medium instead of index=High. This should make all the real-time/latest data to go to index=Medium.
Then, for moving historical data, easy option would be create an eventtype/macro which will collect data from both the indexes (high and Medium). Once all the data in index=high is retired (based on retention policy set), you can update the macro/eventtype to just use index=Medium.

OR follow method described here
https://answers.splunk.com/answers/32176/is-it-possible-to-migrate-indexed-buckets-to-a-different-in...

How to change the index for a certain sourcetype?

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All