I set collecting logs from the file / var / log / messages with sorcetype "Logs". Then I add collect the same logs, but pointed out other sorcetype: "messages". According to Splunk appeared reviewed the files of both sorcetype. How I can now change sorcetype previous indexed data?
The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.
Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.
Forums: SplunkAdministration: Splunk database
Previous Topic: hostname extraction for different sourcetype | Next Topic: segmentation settings correct?
Posts 1–10 of 14
And how can I change other values, for example hostname for the indexed data?
you may need to re-index the data, which should be available on the host that sent it, or it may be in your rawdata in the index database.
ok. How I can EDIT my database? I need change hostnames for indexed data.
Maby somebody used splunk base editor or something else... I have indexed data from host example_host.mydomain.com I need to change hostname to example1.mydomain.com} How I can do it? Thanks.
You can not edit a splunk database. You can delete the data, and then reindex it.
Are you sure?
I think that changing the value "hostname" or some other value for the indexed data, it is trivial task ... if Splunk has a database, it means any particular format has its own types of records, structure, etc.... Based on what you say, I could not be making changes to the database? Have you tried to do it? Thanks.
To change data already indexed, you can tag your host field:
http://www.splunk.com/base/Documentation/latest/Knowledge/Tagthehostfield
This will let you search on the tag, but won't change the underlying value for the host field.
If you want to actually change the value of host field, you'll have to reindex your data and set the host field when you set up your input. Read these instructions:
http://www.splunk.com/base/Documentation/latest/Admin/Setthevalueofhostforaninput
Hope that helps!
--emma
Thanks for your post, Emma. You wrote: "...you'll have to reindex your data..."
reindexing means data loss, and I do not want to lose data.
as gkanapathy says, it is not possible to change/edit the actual value of the host field in data that has already been indexed. this is definitely true.
if you have the original source log files for your data, you can re-index them to have the new value you want for the host field. no data will be lost this way. the same data will arrive in your index as before.
if you do not have the original source files, i recommend you tag the host field as Emma suggested.