Solved: Trouble re-creating sourcetype after delete

lain179 · ‎11-01-2012

I created some incorrect logs with the command

sourcetype="DS Logs" | delete

I have can_delete permission, and the process went through without any error. Then I changed input and transforms conf files and restarted Splunk to grab correct logs, but nothing happened. I can't clean the index because I need the data in that index that belong to other sourcetypes.

Please advise.

I cannot add new source or sourcetype and monitoring the DS sourcetype doesn't work anymore

gkanapathy · ‎11-01-2012

see this answer: http://splunk-base.splunk.com/answers/684/after-fixing-propsconf-how-to-re-index-the-same-files-usin...

View solution in original post

gkanapathy · ‎11-01-2012

see this answer: http://splunk-base.splunk.com/answers/684/after-fixing-propsconf-how-to-re-index-the-same-files-usin...

lain179 · ‎11-02-2012

Never mind. It's working now. The server TCP connection had an issue and that's why it's not updating the monitored logs.

lain179 · ‎11-02-2012

This command solves my problem of re-adding the same logs

./splunk add oneshot /full/path/to/file -sourcetype mysourcetype -index myindex -host myhostparam

But I have new sourcetypes, and they are not going into Splunk either. What else do I have to do?

Trouble re-creating sourcetype after delete

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

Trouble re-creating sourcetype after delete

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...