Getting Data In

Is it possible to reindex result of splunk search result to a new index file and source type?


It it possible to get the result of current splunk index to a new index files as a new source type?

[ Already indexed Data ] -----Use Splunk Search to move the result----> [ New "Index_file" as new index "source type" ]

Tags (1)
0 Karma

Super Champion

What you are describing is similar in nature to how the 2010 timestamp issue fixing application works. The issue was with timestamps not being recognized properly with the year rollover on Jan 1, 2010. The incorrect date parsing configuration was fixed in subsequent release, however data that was already indexed incorrectly stayed incorrectly indexed. So the solution splunk provided was to allow users to search for their incorrectly timestamped events, pass those event to a special search command that send the events back into splunk to be indexed again (this time with the correct date.)

Now, obviously what you are trying to do has nothing to do with this date fix. However, the basic mechanism and process could be reused to suit your purposes of changing the index and sourcetype. Please note that this approach does count against your license usage, so keep that in mind.

Here is the link that talks about using this approach. (It also has link to the app download.)

There is a good chance the app could require tweaking to suite your purposes. Please understand that I offer this as one possible solution, or a jumping-off-point... but it is quite possible to shoot yourself in the foot with it. You have been warned.

I'm thinking that you could use a search like this to rename your sourcetype. Also, you will need to modify the script to set your destination index.

sourcetype=old_sourcetype_name | eval sourcetype=new_sourcetype_name | evtreindex

A completely different approach is to use Splunk's exportool and importtool. You can export your indexed data from a bucket in csv format, tweak the sourcetype value, and then reload your events into a different bucket, which can be in a different index, in your scenario. There is some more info on the question Some of my data does not have the correct sourcetype. Can I change it?

0 Karma

Splunk Employee
Splunk Employee

Are you talking about processing the data in some way, and then storing the results? If so, that is what summary indexing accomplishes.

0 Karma

Splunk Employee
Splunk Employee

I would not recommend doing this and I would first ask the reason wanting to rename the source type.

Additionally, you could simply delete and re-index the data although that can be a tedious and tricky process.

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!