Hi,
I had a sourcetype created by "collect" command in a summary index. Now I modified my queries and want to replace the sourcetype with corrected results. I used "collect" command again but found that results only appended to the previous results instead of overwriting to it.
Could you please advise me?
Thanks!
Reindexing of data doesn't overwrite the existing data, in fact, you can modify the data once indexed. Your option would be to clean (delete) the old/incorrect data before repopulating the new data.
Converted to Answer.
Thanks for the response! I am not an admin, so have no auth to delete data. Is there a easy way or an option for "collect" command to overwrite existing instead of appending? Thanks!
Nopes, As I said, data once indexed can't be modified. What you can do is to either request your admin to delete that data OR update your queries in such a way that it takes the latest (correct) data.