- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Index name is not getting changed in old log files
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Index name is not getting changed in old log files
Hi,
I have installed splunk universal forwarder on one of my windows server, while installing I've given the log directory details. I can see those logs in my index server by searching host=<hostname>. Now I've created a new index (index=Test) and restarted splunk. I've updated the inputs.conf of the windows server where forwarder is installed and restarted my splunkForwarder service. Now if I search with index=Test host=<hostname>, I can see only the logs which came after updating the index in inputs.conf. The old logs which were in splunk already (before udpating the index), still doesn't in the new index. Please let me know how to make those old logs also within this index.
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You cannot; already-indexed data is immutable. You can however delete it and then trick your forwarders into sending it again. That is your only option.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
Can you please give me more details about how to delete?
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a delete command (that doesn't really delete). Read about it here:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/delete
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you so much..When I install the forwarder in windows server, I can select the directory, but there is no option to give the index for that. In this case how can I give the index while installing forwarder in windows?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you telling me that installing the Splunk Windows Universal Forwarder by default sends event to index=Test? I find this very hard to believe and have never seen this before.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Woodcock,
Nope. I am just asking you.. is there any way to give the index details while installing splunk forwarder? I can see the option to select the directory, but I don't find any option related to index while installing forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean by "installing Splunk forwarder"? Installing a forwarder does not enable any inputs other than the _* ones. Do you really mean "adding an input" instead of "installing Splunk forwarder"?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
