Solved: Change source name for exisiting data.

Mr_Robaloba · ‎03-09-2011

I tried out the option "source name override" when setting up a UDP data input to replace "UDP:514" with "mynetworkSyslogs".

After making this change, can I permanently change the source name of exisiting data from this input to match the change?

I have tried doing: source="udp:514" | replace "udp:514" with "mynetworkSyslogs" in the search bar but this does not seem to make a permanent change.

wollinet · ‎03-09-2011

You can't modify existing meta data. You have to re-index the old data.

View solution in original post

wollinet · ‎03-09-2011

You can't modify existing meta data. You have to re-index the old data.

wollinet · ‎03-23-2011

You have to re-feed the log files. With 4.2 I think there're some new features for re-indexing. But I haven't checked them yet.

Mr_Robaloba · ‎03-23-2011

Thanks,
Though this seems to be a quite a limitation in Splunk.

I have been unable to locate any clear information on how to re-index my data. How do I do this?

Change source name for exisiting data.

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability