Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to delete/remove sourcetype

deepakmurthy
Explorer
‎02-21-2014 03:10 PM

Hello,

I am new to splunk, please excuse me for my simple question.

How do we remove source type. I imported a new data file and created a new source type and later had to drop the input file for testing purpose. Again i tried to create this input file and i ran into duplicate source type. I have dropped both data and index for this and still get duplicate source type error message.

Also in props.conf file i have removed entries for source type. I also searched in /opt/splunk/etc/system/default/sourcetypes.conf for my source type information and did not find anything.

Thanks for your help and looking into this question. Let me know if you need any further info about this.

Thanks
Deepak

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎02-23-2014 07:44 PM

Ok, you probably cannot save over an existing sourcetype.
If you had to change an existing one, then this likely be worth creating a new one, why not save it with a new name ?

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jhlopez
Explorer
‎12-02-2014 11:14 PM

Hi,

All the created sourcetype was configured in "props.conf" file under "/etc/system/local". To reuse the sourcetype you previously use, you must delete its configuration first.

Hope this helps!!

0 Karma
Reply
Solved! Jump to solution

deepakmurthy
Explorer
‎02-27-2014 10:41 AM
  • I added a new data, created a new source type and created an index.
  • After that i dropped both index and data for some reasons, verified that props.conf didnt have any source type information.
  • After that I added new data and tried to create a source type same as previously used and i got error saying duplicate source type.

I dont see this issue in 6.0.2 any more, It could be a bug in 6.0.1 version, i upgraded to 6.0.2.

Thanks for all your support guys really this community has helped me learn so much in splunk in no time.

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎02-23-2014 07:44 PM

Ok, you probably cannot save over an existing sourcetype.
If you had to change an existing one, then this likely be worth creating a new one, why not save it with a new name ?

0 Karma
Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎02-21-2014 08:44 PM

Try reusing the same sourcetype while import and "adjust eventbreaking and timestamp recognition" during preview to update the sourcetype if required.

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎02-21-2014 08:29 PM

I have never seen a duplicate sourcetype error message. Could you post it?
How exactly did you "drop" the data and index?

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...