Splunk Search

changing the source type in splunk

Path Finder

Hi,

what happens if we change the source type of already existing data . For example , i have a monitor stanza like

[monitor: //export/apache/web]
index=xyz
sourcetype=apache_web_log

if the data from this sourcetype is already been indexed and if i change the sourcetype to " web_logs" . will the indexed data will be changed as per new sourcetype . Can i also know what are the disadvantages of changing the source type once it is already been set ?

1 Solution

SplunkTrust
SplunkTrust

It will change the sourcetype to only the newly indexed data, it will not take affect retroactively.. Fields are relative to your sourcetype so you will lose all fields associated with your previous sourcetype. This will break any reports, alerts, or dashboards you may have that rely on that field.

If it's a dire need to change the sourcetype, you should then create new fields relative to your new sourcetype, update your new sourcetype, ...| delete the old sourcetype data from Splunk Web and reindex the old data by clearing the fishbucket on the forwarders.. How much previous data do you have under that old sourcetype? How fast do your buckets roll to frozen?

Worst case you can duplicate the fields to the new sourcetype and forego the removing and reindexing of new data.. You could then let the old sourcetype data roll into frozen if your ok with having 2 sourcetypes over the same type of data for a bit

View solution in original post

Esteemed Legend

You might be better off using rename. This allows you to use either the new one as sourcetype and the original one as _sourcetype:

https://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Data/Renamesourcetypes

0 Karma

SplunkTrust
SplunkTrust

It will change the sourcetype to only the newly indexed data, it will not take affect retroactively.. Fields are relative to your sourcetype so you will lose all fields associated with your previous sourcetype. This will break any reports, alerts, or dashboards you may have that rely on that field.

If it's a dire need to change the sourcetype, you should then create new fields relative to your new sourcetype, update your new sourcetype, ...| delete the old sourcetype data from Splunk Web and reindex the old data by clearing the fishbucket on the forwarders.. How much previous data do you have under that old sourcetype? How fast do your buckets roll to frozen?

Worst case you can duplicate the fields to the new sourcetype and forego the removing and reindexing of new data.. You could then let the old sourcetype data roll into frozen if your ok with having 2 sourcetypes over the same type of data for a bit

View solution in original post

SplunkTrust
SplunkTrust

Changing a config only affects newly-indexed data. Already-indexed data is not and cannot be changed.

One disadvantage to changing sourcetypes is your data will have two different sourcetypes associated with it (apache_web_log for the old data and web_logs for the new data) until the old data ages out. That means your dashboards will have to search for both sourcetypes.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Ultra Champion

Although you could use a sourcetype rename to convert you old sourcetype name to match the new version (or do the inverse - make the new name look like the old)

In any case as @richgalloway notes, you will have to update your searches, but if you had bad names first time round, it may be worth the small pain.

0 Karma