Getting Data In

How to change which index a sourcetype is indexed to?

SridharS
Path Finder

Hi,

Currently I am using "Index1" for "sourcetype1". I want to change this "sourcetype1" to a new index "Index2". I made changes in the inputs.conf under splunkhome/etc/deployment-apps/appname/local in the deployment server and restarted Splunk, but still the "sourcetype1" is not indexing to "Index2". May I know whether I am missing something, or is it mandatory to go into the remote server and do changes in the Splunk forwarder..

Tags (2)
0 Karma

muebel
SplunkTrust
SplunkTrust

Hi SridharS, I'd verify that the forwarder has received the new inputs.conf, and has been restarted. This will be required for the new inputs settings to take effect.

The serverclass mapped to the inputs app could have restartSplunkd = true in order to enforce a reboot whenever the app is updated.

somesoni2
Revered Legend

Two things here
1) Yes, you would need to update the inputs.conf on the forwarder (using deployment server if you use one) to update the index for the sourcetype for future events.
2) Historical data would still be stored under older index.

0 Karma