Getting Data In

Index name is not getting changed in old log files

chris1
Explorer

Hi,

I have installed splunk universal forwarder on one of my windows server, while installing I've given the log directory details. I can see those logs in my index server by searching host=<hostname>. Now I've created a new index (index=Test) and restarted splunk. I've updated the inputs.conf of the windows server where forwarder is installed and restarted my splunkForwarder service. Now if I search with index=Test host=<hostname>, I can see only the logs which came after updating the index in inputs.conf. The old logs which were in splunk already (before udpating the index), still doesn't in the new index. Please let me know how to make those old logs also within this index.

Thanks in advance!

Tags (2)
0 Karma

woodcock
Esteemed Legend

You cannot; already-indexed data is immutable. You can however delete it and then trick your forwarders into sending it again. That is your only option.

0 Karma

chris1
Explorer

Hi ,

Can you please give me more details about how to delete?

Thank you.

0 Karma

woodcock
Esteemed Legend

There is a delete command (that doesn't really delete). Read about it here:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/delete

0 Karma

chris1
Explorer

Hi,

Thank you so much..When I install the forwarder in windows server, I can select the directory, but there is no option to give the index for that. In this case how can I give the index while installing forwarder in windows?

0 Karma

woodcock
Esteemed Legend

Are you telling me that installing the Splunk Windows Universal Forwarder by default sends event to index=Test? I find this very hard to believe and have never seen this before.

0 Karma

chris1
Explorer

Hi Woodcock,

Nope. I am just asking you.. is there any way to give the index details while installing splunk forwarder? I can see the option to select the directory, but I don't find any option related to index while installing forwarder.

0 Karma

woodcock
Esteemed Legend

What do you mean by "installing Splunk forwarder"? Installing a forwarder does not enable any inputs other than the _* ones. Do you really mean "adding an input" instead of "installing Splunk forwarder"?

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...