Getting Data In

How to update an existing index for a file, id the file is updated with new fields/attributes

patelya
New Member

Hi,

I Have a CSV file with some values that i am forwarding to my indexer and for this file, events and indexes are already created. Now my CSV file was updated and some new fields were added like userId. My Question is that the newly added fields will automatically be indexed, if not Is there a way to update the index so that it can have events with newly added fields. i didnt find anything in the Indexers.conf file

0 Karma

woodcock
Esteemed Legend

If you are using INDEXED_EXTRACTIONS and the header line of your CSV then it will be fine. Otherwise, you will have to update your props.conf. settings.

0 Karma

somesoni2
Revered Legend

The data once indexed can't be updated, so only option would be to get that file re-indexed (Assuming it's getting indexed when you say you're forwarding to indexer). So whether re-indexing will happen depends upon how it's been forwarded (being monitored or batched or was one time upload) and where the changes are made (how far in the file, from start, the change occurred). If you can include more information on file forwarding method and file updates, we may be able to give you proper suggestions.

0 Karma

patelya
New Member

Hi somesoni2,

Thanks for replying , Yes the file is getting indexed after forwarding it to indexer and i am doing a one time upload. I have say 10 records in my CSV file with 5 values. Now from 11th record onwards the file will have 2 more values for each record .

Thanks
Yaju

0 Karma

DalJeanis
Legend

The answer is, most likely you need to modify props.conf.

It probably looks something like this:

[mysourcetypecsv]
FIELD_DELIMITER=,
FIELD_NAMES=myfield1,myfield2,myfield3,myfield4

Here's a good reference that shows how to do it if the fields might sometimes be present and sometimes not....

https://answers.splunk.com/answers/206240/best-way-to-index-csv-files-with-some-common-field.html

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...