Getting Data In

How to index by old sourcetype , after logs monitoring has been disabled

ramup
New Member

Hi,

We have below configuration:

  1. source: <Path>/access.log
  2. sourceType:AccessLogs
  3. Index: AccessLog

Now, we need to create new sourceType (and also new index) as per requirement and disable old index (shouldn't monitor logs now onwards) . But, old data exists till now, needs to be searched using old sourcetype. How to configure these

Can a index/sourceType exists without any source(to Monitor )

Thanks,
Ramu

0 Karma

jkat54
SplunkTrust
SplunkTrust

Your sourcetypes are found in your inputs.conf files or from anywhere in Splunk Web:

Splunk Filesystem
$splunk_home$/etc/{application name}/(local OR default)/inputs.conf

Splunk Web:
select System, and then select Data inputs from the Data section of the System pop-up. This takes you to a page where you can view and manage your existing inputs, as well as add new ones.

You'll just change the input for the data to point to new index and have new sourcetype.

Check this article out for more details: http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configureyourinputs

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you disable the old index you will not be able to search it.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>