Getting Data In
Highlighted

How to delete/remove sourcetype

Explorer

Hello,

I am new to splunk, please excuse me for my simple question.

How do we remove source type. I imported a new data file and created a new source type and later had to drop the input file for testing purpose. Again i tried to create this input file and i ran into duplicate source type. I have dropped both data and index for this and still get duplicate source type error message.

Also in props.conf file i have removed entries for source type. I also searched in /opt/splunk/etc/system/default/sourcetypes.conf for my source type information and did not find anything.

Thanks for your help and looking into this question. Let me know if you need any further info about this.

Thanks
Deepak

Tags (2)
0 Karma
Highlighted

Re: How to delete/remove sourcetype

Super Champion

I have never seen a duplicate sourcetype error message. Could you post it?
How exactly did you "drop" the data and index?

Highlighted

Re: How to delete/remove sourcetype

SplunkTrust
SplunkTrust

Try reusing the same sourcetype while import and "adjust eventbreaking and timestamp recognition" during preview to update the sourcetype if required.

0 Karma
Highlighted

Re: How to delete/remove sourcetype

Splunk Employee
Splunk Employee

Ok, you probably cannot save over an existing sourcetype.
If you had to change an existing one, then this likely be worth creating a new one, why not save it with a new name ?

View solution in original post

0 Karma
Highlighted

Re: How to delete/remove sourcetype

Explorer
  • I added a new data, created a new source type and created an index.
  • After that i dropped both index and data for some reasons, verified that props.conf didnt have any source type information.
  • After that I added new data and tried to create a source type same as previously used and i got error saying duplicate source type.

I dont see this issue in 6.0.2 any more, It could be a bug in 6.0.1 version, i upgraded to 6.0.2.

Thanks for all your support guys really this community has helped me learn so much in splunk in no time.

0 Karma
Highlighted

Re: How to delete/remove sourcetype

Explorer

Hi,

All the created sourcetype was configured in "props.conf" file under "/etc/system/local". To reuse the sourcetype you previously use, you must delete its configuration first.

Hope this helps!!

0 Karma