Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to overwrite the indexer data.

vinod743374
Communicator
‎07-07-2021 02:22 AM

Is there  any possibility to over write the index data ,

for example the data is indexing by the below query.

| inputlookup  sample_Data.csv  | collect index= Collected_data 

if i indexing the some other data to the same index ,
in this scenario the old data in the index should be over write by the new data , if it is possible ,  can you please explain how to do it. 

| inputlookup  sample_Data2.csv  | collect index= Collected_data 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-07-2021 02:55 AM

Hi @vinod743374,

you cannot modify any Splunk indexed data.

If you want a list of events always updated, you have to put them in a lookup or a KV Store.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-07-2021 02:55 AM

Hi @vinod743374,

you cannot modify any Splunk indexed data.

If you want a list of events always updated, you have to put them in a lookup or a KV Store.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-07-2021 04:00 AM

Hi @vinod743374,

tell me how can help you more.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

vinod743374
Communicator
‎07-07-2021 04:08 AM

can you help me with any other alternative solution for my application.

is there any command or search query to delete the previous data (sample_data.csv) in index and  indexing only the latest data (sample_data2.csv).

| inputlookup  sample_data2.csv | collect index= Collected_data.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-07-2021 05:20 AM

Hi @vinod743374,

you have to stop to think to Splunk as a DB!

Splunk indexed logs that are no longer editable until cleared!

If you need an always up-to-date situation of your data, you can create a search from your indexed data and save the results in a lookup using the outputlookup command.

At this point you can modify the data in the lookup that it's editable: in other words you can modify the data in the lookup but not in the Splunk indexes where they remain unchanged.

You can make changes to the lookup data using the Lookup Editor App or a specific search or JavaScript.

With Lookup Editor App it's very easy modify data but not controlled and not so beautiful.

Instead, updating lookup in a dashboard (using a search or a JS) it's not a five-minute work that can be suggested with an answer, but it does take time and Splunk knowledge.

To give you a hint of the steps to make it, you need to:

  • recall the lookup in a dashboard,
  • select a record to edit with an in-page drilldown,
  • add one or more inputs to insert the values to be put or modified in the fields of the selected record,
  • update the record in the lookup with the outputlookup command.

I'm sorry I can't help you more but it's not an immediate thing!

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...