Getting Data In

How to index by old sourcetype , after logs monitoring has been disabled

New Member

Hi,

We have below configuration:

  1. source: <Path>/access.log
  2. sourceType:AccessLogs
  3. Index: AccessLog

Now, we need to create new sourceType (and also new index) as per requirement and disable old index (shouldn't monitor logs now onwards) . But, old data exists till now, needs to be searched using old sourcetype. How to configure these

Can a index/sourceType exists without any source(to Monitor )

Thanks,
Ramu

0 Karma

SplunkTrust
SplunkTrust

Your sourcetypes are found in your inputs.conf files or from anywhere in Splunk Web:

Splunk Filesystem
$splunk_home$/etc/{application name}/(local OR default)/inputs.conf

Splunk Web:
select System, and then select Data inputs from the Data section of the System pop-up. This takes you to a page where you can view and manage your existing inputs, as well as add new ones.

You'll just change the input for the data to point to new index and have new sourcetype.

Check this article out for more details: http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configureyourinputs

0 Karma

SplunkTrust
SplunkTrust

If you disable the old index you will not be able to search it.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!