I am new to splunk, please excuse me for my simple question.
How do we remove source type. I imported a new data file and created a new source type and later had to drop the input file for testing purpose. Again i tried to create this input file and i ran into duplicate source type. I have dropped both data and index for this and still get duplicate source type error message.
Also in props.conf file i have removed entries for source type. I also searched in /opt/splunk/etc/system/default/sourcetypes.conf for my source type information and did not find anything.
Thanks for your help and looking into this question. Let me know if you need any further info about this.
I have never seen a duplicate sourcetype error message. Could you post it?
How exactly did you "drop" the data and index?
Try reusing the same sourcetype while import and "adjust eventbreaking and timestamp recognition" during preview to update the sourcetype if required.
Ok, you probably cannot save over an existing sourcetype.
If you had to change an existing one, then this likely be worth creating a new one, why not save it with a new name ?
I dont see this issue in 6.0.2 any more, It could be a bug in 6.0.1 version, i upgraded to 6.0.2.
Thanks for all your support guys really this community has helped me learn so much in splunk in no time.
All the created sourcetype was configured in "props.conf" file under "/etc/system/local". To reuse the sourcetype you previously use, you must delete its configuration first.
Hope this helps!!