Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to move data from one sourcetype to another sourcetype?

vishal_bandavad
Explorer
‎02-09-2016 10:53 AM

Hi,

I have sourcetype "abc" which has few days data. Now we have decided to modified the sourcetype name to def . I have made the required changes and data is coming to the new sourcetype. I just want to know how I could copy old sourcetype data to the new one.

Kindly help.

Tags (2)
0 Karma
Reply

DUThibault
Contributor
‎01-22-2018 07:17 AM

To change the indexed source and/or sourcetype after the fact, you need to export the raw data, delete it from the index, then re-import it. This is explained here: https://answers.splunk.com/answers/39756/change-source-and-sourcetype.html

In summary:

1) Export the logs with incorrect sourcetype so you have the raw, original logs:

 splunk search "index=myindex sourcetype=wrong_source_type" -maxout 0 -output rawdata > raw.logs

(Optionally also specify earliest=<timestamp> latest=<timestamp> -preview 0 etc.)

2) Delete the logs with incorrect sourcetype:

 index=myindex sourcetype=wrong_source_type | delete

(Use the same arguments as for the search)
(You have to add the 'delete' role to your account before doing this)

3) Re-index the raw logs:

 splunk add oneshot raw.logs -host myhost -index myindex -sourcetype correct_sourcetype -rename-source correct_source

(Without -rename-source , the new index would have source=raw.logs )

0 Karma
Reply

ppablo
Retired
‎04-20-2016 12:47 PM

Hi @vishal_bandavade

Can you revisit this post and confirm if the answer below solved your question? If yes, please resolve the post by clicking "Accept" directly below @Jeremiah's answer. Don't forget to upvote any responses in the thread that were helpful for you.

0 Karma
Reply

Jeremiah
Motivator
‎02-09-2016 11:21 AM

Take a look at sourcetype renaming. You can rename your abc events to def. This doesn't reindex or move the data, it just renames the sourcetype at search time.

http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/Renamesourcetypes

In your props.conf do the following:

[abc]
rename=def
Reply

masonmorales
Influencer
‎02-09-2016 11:27 AM

^ @vishal_bandavade This. Your only other option is to delete and re-index the data.

Reply

MuS
Legend
‎02-09-2016 11:37 AM

and to add two important notes:

The indexed events still contain the original source type name. The renaming occurs only at search time. Also, renaming the source type does only that; it does not fix any problems with the indexed format of your event data caused by assigning the wrong source type in the first place.

and

Data from a renamed source type will only use the search-time configuration for the target source type
0 Karma
Reply

somesoni2
Revered Legend
‎02-09-2016 11:59 AM

Further,
The renamed sourcetype will not work for searches that queries tsidx /metadata files, such as "| metadata" OR "| tstats" etc.

0 Karma
Reply
Get Updates on the Splunk Community!

Digital Resilience Assessment Launch | How prepared are you for disruption?

Disruption is inevitable. The question is – how prepared are you to handle it? In today’s fast-moving digital ...

Buttercup Games: Further Dashboarding Techniques (Part 2)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Index This | What is the next number in the series? 7,645 5,764 4,576…

February 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...