implications of changing the configurations of an ...

sophiacyh · ‎02-02-2022

Hi splunk community! Im new to splunk here so im not very clear on the consequences of updating indexes

1. For example, if index1 indexes from file1, but if in the future i want to change it to index from file2 instead, will there be any implications if i just update the stanza in input.conf file to direct to file2 instead of file1? or do i need to delete the current index and create a new one and then direct to file2?

2. If i want to add more fields to the stanza of the indexed file, will i need to recreate the index? or can i just add the field to the stanza

thank you in advance!

PickleRick · ‎02-02-2022

Inputs don't "touch" indexes at all. The only dependency is that after processing the input, when the data is sent further down the pipeline for parsing/forwarding/indexing it can have the metadata field specifying destination index set. That's all.

So you can freely add, change, remove inputs and nothing will hapen to the indexes themselves and data already indexed.

I don't know what you mean by "add fields to the stanza of indexed file".

If you mean field extractions then no, yiu don't have to touch indexes either if you're defining new field extractions. In fact newly defined search-time extractions will work on already indexed data.

And you don't define extractions per index. You define them per sourcetype, source or host pattern. It's not a RDBMS. 😉

implications of changing the configurations of an indexed file

index

indexer

inputs.conf

universal forwarder

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!