Getting Data In

How to delete/remove sourcetype

deepakmurthy
Explorer

Hello,

I am new to splunk, please excuse me for my simple question.

How do we remove source type. I imported a new data file and created a new source type and later had to drop the input file for testing purpose. Again i tried to create this input file and i ran into duplicate source type. I have dropped both data and index for this and still get duplicate source type error message.

Also in props.conf file i have removed entries for source type. I also searched in /opt/splunk/etc/system/default/sourcetypes.conf for my source type information and did not find anything.

Thanks for your help and looking into this question. Let me know if you need any further info about this.

Thanks
Deepak

Tags (2)
0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

Ok, you probably cannot save over an existing sourcetype.
If you had to change an existing one, then this likely be worth creating a new one, why not save it with a new name ?

View solution in original post

0 Karma

jhlopez
Explorer

Hi,

All the created sourcetype was configured in "props.conf" file under "/etc/system/local". To reuse the sourcetype you previously use, you must delete its configuration first.

Hope this helps!!

0 Karma

deepakmurthy
Explorer
  • I added a new data, created a new source type and created an index.
  • After that i dropped both index and data for some reasons, verified that props.conf didnt have any source type information.
  • After that I added new data and tried to create a source type same as previously used and i got error saying duplicate source type.

I dont see this issue in 6.0.2 any more, It could be a bug in 6.0.1 version, i upgraded to 6.0.2.

Thanks for all your support guys really this community has helped me learn so much in splunk in no time.

0 Karma

yannK
Splunk Employee
Splunk Employee

Ok, you probably cannot save over an existing sourcetype.
If you had to change an existing one, then this likely be worth creating a new one, why not save it with a new name ?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try reusing the same sourcetype while import and "adjust eventbreaking and timestamp recognition" during preview to update the sourcetype if required.

0 Karma

lukejadamec
Super Champion

I have never seen a duplicate sourcetype error message. Could you post it?
How exactly did you "drop" the data and index?

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...