You can use the collect command. Construct a search that returns the data you want to port, and pipe to collect.
index=whatever host=whatever source=whatever whatever | collect index=foo
That will port the data into the foo index. However, the sourcetype will be changed to 'stash'.
http://docs.splunk.com/Documentation/Splunk/latest/searchreference/collect
You can use the collect command. Construct a search that returns the data you want to port, and pipe to collect.
index=whatever host=whatever source=whatever whatever | collect index=foo
That will port the data into the foo index. However, the sourcetype will be changed to 'stash'.
http://docs.splunk.com/Documentation/Splunk/latest/searchreference/collect
will it also move raw data ?
No - It will copy the data from your source index to the new one specified by the collect command.
It will not remove data from the original index.
You can use (with great care) the |delete
command to remove the items from the source DB, but you should be aware that this only prevents the results being returned in search - the events themselves will remain on disk. In many cases this is acceptable, but if your dealing with some sensitive data types, the only way to remove events once indexed is to expire/freeze your index and let Splunk delete the buckets
Will this move the Raw data from one index to another or just the indexed data?
seems that the reporting server changes to the Splunk server instead of the server that generated the event...
I have run this collect command, and then searched in the index I collected the logs to.... but I do not find the results. Is this still working in 5.0.2?
Happy to help. I should also add, you can do this as well...
|collect index=foo sourcetype=foo
...and that will force your sourcetype too.
Note that changing the sourcetype will (as of 6.x, at least) incur additional licensing impact.
Thanks buddy...that little pointer helped me with another issue I was facing. Note that src="ipaddr" OR etc can be used as well if your culprit was a syslog with multiples in it....no doubt the manual would have told me that however long I spend in them! 😉
You can't selectively move data from one index to another easily. You can find the data you'd like to move, and export, you can export the events as raw and then import them into your new index. Once you do that, you can use | delete
to mask the events so further searches won't reveal them. However, that space won't be reclaimed within the index.