How to delete an "source type" that is tied to ind...

nitin82pandey · ‎10-25-2013

Hi, still learning Splunk and.....need to know..
How to delete an "source type" that is tied to indexed data. I accidentally added the source type and now want to correct it. I am using Ver. 5.0.4.

Can help?

Thanks!

alacercogitatus · ‎10-25-2013

You can handle this in a few ways:

1) Delete the data (must have the can_delete capability) using | delete
2) Alias the sourcetype - add this to props.conf
[old_sourcetype] rename = new_sourcetype]
3) re-index the data with the correct sourcetype.

nitin82pandey · ‎11-06-2013

Thanks for asking.
I deleted the old sourcetype and re-indexed (and not stealing the credit....your answer helped me too.).

Thanks again!

alacercogitatus · ‎10-29-2013

Did this help you?

datienzalopez · ‎10-25-2013

Hi,

Try with this command in the search: sourcetype= | delete

Before you need to check that your user have permissions to do this.

Cheers,

nitin82pandey · ‎11-06-2013

Thanks....this was helpful.

How to delete an "source type" that is tied to indexed data. I accidentally added the source type and now want to correct it. Can help?

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!