Getting Data In

implications of changing the configurations of an indexed file


Hi splunk community! Im new to splunk here so im not very clear on the consequences of updating indexes

1. For example, if index1 indexes from file1, but if in the future i want to change it to index from file2 instead, will there be any implications if i just update the stanza in input.conf file to direct to file2  instead of file1? or do i need to delete the current index and create a new one and then direct to file2?

2. If i want to add more fields to the stanza of the indexed file, will i need to recreate the index? or can i just add the field to the stanza

thank you in advance!

Labels (4)
0 Karma


Inputs don't "touch" indexes at all. The only dependency is that after processing the input, when the data is sent further down the pipeline for parsing/forwarding/indexing it can have the metadata field specifying destination index set. That's all.

So you can freely add, change, remove inputs and nothing will hapen to the indexes themselves and data already indexed.

I don't know what you mean by "add fields to the stanza of indexed file".

If you mean field extractions then no, yiu don't have to touch indexes either if you're defining new field extractions. In fact newly defined search-time extractions will work on already indexed data.

And you don't define extractions per index. You define them per sourcetype, source or host pattern. It's not a RDBMS. 😉

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...