Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to change the index for a certain sourcetype?

vkakani60
Path Finder
‎07-07-2016 10:58 AM

I have an index called high with sourcetype logs

logs sourcetype is continuously indexing logs under \logs dir.

I have decided to create a new index and want to move those logs to that new index called Medium.

I have successfully moved the events to Medium, 

index="high" sourcetype=logs | collect index="Medium"

but I can't see the events with the sourcetype

index="Medium" sourcetype=logs 
no events found

index="Medium"

It works and shows all the events, but not real-time logs.
And when new logs were updated under logs sourcetype, Splunk is showing those real-time logs under index high, not under the Medium index.

How to show real-time events under medium index instead of high index with sourcetype logs ?

0 Karma
Reply

somesoni2
Revered Legend
‎07-07-2016 11:08 AM

After the collect command, the sourcetype is changed to stash. I don't think this is the right way to move data between indexes.
First, you should modify your data input configurations (inputs.conf) on forwarders/data source to use index=Medium instead of index=High. This should make all the real-time/latest data to go to index=Medium.
Then, for moving historical data, easy option would be create an eventtype/macro which will collect data from both the indexes (high and Medium). Once all the data in index=high is retired (based on retention policy set), you can update the macro/eventtype to just use index=Medium.

OR follow method described here
https://answers.splunk.com/answers/32176/is-it-possible-to-migrate-indexed-buckets-to-a-different-in...

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...