Solved: Trouble re-creating sourcetype after delete

lain179 · ‎11-01-2012

I created some incorrect logs with the command

sourcetype="DS Logs" | delete

I have can_delete permission, and the process went through without any error. Then I changed input and transforms conf files and restarted Splunk to grab correct logs, but nothing happened. I can't clean the index because I need the data in that index that belong to other sourcetypes.

Please advise.

I cannot add new source or sourcetype and monitoring the DS sourcetype doesn't work anymore

gkanapathy · ‎11-01-2012

see this answer: http://splunk-base.splunk.com/answers/684/after-fixing-propsconf-how-to-re-index-the-same-files-usin...

View solution in original post

gkanapathy · ‎11-01-2012

see this answer: http://splunk-base.splunk.com/answers/684/after-fixing-propsconf-how-to-re-index-the-same-files-usin...

lain179 · ‎11-02-2012

Never mind. It's working now. The server TCP connection had an issue and that's why it's not updating the monitored logs.

lain179 · ‎11-02-2012

This command solves my problem of re-adding the same logs

./splunk add oneshot /full/path/to/file -sourcetype mysourcetype -index myindex -host myhostparam

But I have new sourcetypes, and they are not going into Splunk either. What else do I have to do?

Trouble re-creating sourcetype after delete

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Splunk Observability Metrics Cost Optimization

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation