Getting Data In

How to overwrite a sourcetype created by "collect" in a summary index?

xiangtaner
Path Finder

Hi,

I had a sourcetype created by "collect" command in a summary index. Now I modified my queries and want to replace the sourcetype with corrected results. I used "collect" command again but found that results only appended to the previous results instead of overwriting to it.

Could you please advise me?

Thanks!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Reindexing of data doesn't overwrite the existing data, in fact, you can modify the data once indexed. Your option would be to clean (delete) the old/incorrect data before repopulating the new data.

0 Karma

masonmorales
Influencer

Converted to Answer.

0 Karma

xiangtaner
Path Finder

Thanks for the response! I am not an admin, so have no auth to delete data. Is there a easy way or an option for "collect" command to overwrite existing instead of appending? Thanks!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Nopes, As I said, data once indexed can't be modified. What you can do is to either request your admin to delete that data OR update your queries in such a way that it takes the latest (correct) data.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...