Solved: Editing an existing data input creates new item

adrianp · ‎10-30-2013

When I try to edit an existing data input, it's creating a new one. Shouldn't it just update it?

Ayn · ‎10-30-2013

No, Splunk is a time-series database - it will read events and assign a timestamp to them once. Events that are indexed will not be modified - if you make changes to existing data that Splunk has already indexed, Splunk will interpret that as that the whole file has changed and its contents needs to be reindexed.

View solution in original post

Ayn · ‎10-30-2013

No, Splunk is a time-series database - it will read events and assign a timestamp to them once. Events that are indexed will not be modified - if you make changes to existing data that Splunk has already indexed, Splunk will interpret that as that the whole file has changed and its contents needs to be reindexed.

Ayn · ‎11-01-2013

Sorry, I obviously misunderstood what you meant. I don't have a good answer for the issue you're having, sorry.

adrianp · ‎10-30-2013

http://MYSERVER:8000/en-US/manager/launcher/data/inputs/udp

adrianp · ‎10-30-2013

Um, I don't follow. I'm talking about where you edit Data Inputs and select, File, Events Log, syslog, etc... When I click on one that I created (to edit it because I made a mistake), after I hit save, instead of updating the one I was editing, it just creates a new item.

Editing an existing data input creates new item

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!