How to overwrite a sourcetype created by "collect"...

xiangtaner · ‎05-19-2016

Hi,

I had a sourcetype created by "collect" command in a summary index. Now I modified my queries and want to replace the sourcetype with corrected results. I used "collect" command again but found that results only appended to the previous results instead of overwriting to it.

Could you please advise me?

Thanks!

somesoni2 · ‎05-19-2016

Reindexing of data doesn't overwrite the existing data, in fact, you can modify the data once indexed. Your option would be to clean (delete) the old/incorrect data before repopulating the new data.

masonmorales · ‎05-19-2016

Converted to Answer.

xiangtaner · ‎05-19-2016

Thanks for the response! I am not an admin, so have no auth to delete data. Is there a easy way or an option for "collect" command to overwrite existing instead of appending? Thanks!

somesoni2 · ‎05-19-2016

Nopes, As I said, data once indexed can't be modified. What you can do is to either request your admin to delete that data OR update your queries in such a way that it takes the latest (correct) data.

How to overwrite a sourcetype created by "collect" in a summary index?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor