Getting Data In

Is it possible to reindex result of splunk search result to a new index file and source type?

clyde772
Communicator

It it possible to get the result of current splunk index to a new index files as a new source type?

[ Already indexed Data ] -----Use Splunk Search to move the result----> [ New "Index_file" as new index "source type" ]

Tags (1)
0 Karma

Lowell
Super Champion

What you are describing is similar in nature to how the 2010 timestamp issue fixing application works. The issue was with timestamps not being recognized properly with the year rollover on Jan 1, 2010. The incorrect date parsing configuration was fixed in subsequent release, however data that was already indexed incorrectly stayed incorrectly indexed. So the solution splunk provided was to allow users to search for their incorrectly timestamped events, pass those event to a special search command that send the events back into splunk to be indexed again (this time with the correct date.)

Now, obviously what you are trying to do has nothing to do with this date fix. However, the basic mechanism and process could be reused to suit your purposes of changing the index and sourcetype. Please note that this approach does count against your license usage, so keep that in mind.

Here is the link that talks about using this approach. (It also has link to the app download.)

There is a good chance the app could require tweaking to suite your purposes. Please understand that I offer this as one possible solution, or a jumping-off-point... but it is quite possible to shoot yourself in the foot with it. You have been warned.

I'm thinking that you could use a search like this to rename your sourcetype. Also, you will need to modify the script to set your destination index.

sourcetype=old_sourcetype_name | eval sourcetype=new_sourcetype_name | evtreindex

A completely different approach is to use Splunk's exportool and importtool. You can export your indexed data from a bucket in csv format, tweak the sourcetype value, and then reload your events into a different bucket, which can be in a different index, in your scenario. There is some more info on the question Some of my data does not have the correct sourcetype. Can I change it?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Are you talking about processing the data in some way, and then storing the results? If so, that is what summary indexing accomplishes.

0 Karma

Simeon
Splunk Employee
Splunk Employee

I would not recommend doing this and I would first ask the reason wanting to rename the source type.

Additionally, you could simply delete and re-index the data although that can be a tedious and tricky process.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...