Solved: Editing an existing data input creates new item

adrianp · ‎10-30-2013

When I try to edit an existing data input, it's creating a new one. Shouldn't it just update it?

Ayn · ‎10-30-2013

No, Splunk is a time-series database - it will read events and assign a timestamp to them once. Events that are indexed will not be modified - if you make changes to existing data that Splunk has already indexed, Splunk will interpret that as that the whole file has changed and its contents needs to be reindexed.

View solution in original post

Ayn · ‎10-30-2013

No, Splunk is a time-series database - it will read events and assign a timestamp to them once. Events that are indexed will not be modified - if you make changes to existing data that Splunk has already indexed, Splunk will interpret that as that the whole file has changed and its contents needs to be reindexed.

Ayn · ‎11-01-2013

Sorry, I obviously misunderstood what you meant. I don't have a good answer for the issue you're having, sorry.

adrianp · ‎10-30-2013

http://MYSERVER:8000/en-US/manager/launcher/data/inputs/udp

adrianp · ‎10-30-2013

Um, I don't follow. I'm talking about where you edit Data Inputs and select, File, Events Log, syslog, etc... When I click on one that I created (to edit it because I made a mistake), after I hit save, instead of updating the one I was editing, it just creates a new item.

Editing an existing data input creates new item

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...