Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to update a data input file without uploading the entire file again?

mcohen13
Loves-to-Learn
‎05-28-2018 06:53 AM

I have a data input that upload a file on my Splunk server with TSV format and I want to add fields to my index by adding them to the file. How can I do that without Splunk uploading the entire file? I have a limited license of 1GB per day and the file is 5GB.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-28-2018 08:18 AM

Hey,

you can either upload only the new data, by adding it to a new file, and then upload that, or use the Splunk way - put it in a certain location, and use Splunk file monitors to take care of it. You can find more on this here:
Monitor files and directories

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-28-2018 08:18 AM

Hey,

you can either upload only the new data, by adding it to a new file, and then upload that, or use the Splunk way - put it in a certain location, and use Splunk file monitors to take care of it. You can find more on this here:
Monitor files and directories

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎05-28-2018 07:25 AM

Do you want to add those additional fields only to new events that are added in the future, or do you also want to add those additonal fields to already indexed events?

In the first case, you could create a new file, with the desired fields, make necessary changes to Splunk config to handle those new fields if necessary, and then start adding events to that new file, leaving the old file as is.

If you also want to add fields to already indexed data, it will be a bit more difficult to do that without re-indexing the old data with additional fields.

0 Karma
Reply
Solved! Jump to solution

mcohen13
Loves-to-Learn
‎05-28-2018 07:33 AM

it's the first case
so i need to:

  1. create new file that will have the old fields + new fields needed - prefer to not separate to two files
  2. add new data input from that file to the index
  3. stop writing to old file - to avoid duplicates

right?

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎05-29-2018 12:08 AM

Indeed, that should do the trick 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...