I'm trying to add a new linemerge rule to my props.conf. I'm currently putting it in etc/system/local/props.conf but I realize this won't work if linemerge happens at index time. Does it happen at index time or at search time? If it happens at index time can I re-index my old data without re-referencing the original logs?
Parsing line-breaks (the LINEMERGE
setting) does happen at index time. You are right, your changes will not affect historical data.
You might be able to recreate the data without re-referencing the original logs. BUT the only solution still requires re-indexing - so if you are trying to avoid re-indexing, I can't help.
Step 1 - test your new props.conf on a sample of the data - place the data in a test instance of Splunk or in a test index. Once tested, make sure that your updated props.conf is in place in your production environment.
Step 2 - If you have the original logs, locate them and copy them to some staging area that is accessible. If you DON'T have the original logs, you can search Splunk for the data and export it. Be sure to export _raw. Again, place this data in some staging area. You may need to play withe exported data to get it into the format that you want.
Step 3 - CAREFULLY delete the existing data from the Splunk indexes. Use the delete
command.
Step 4 - Using upload (batch input, not monitor input), reload all the old data into Splunk. Make sure that you assign the sourcetype properly, so that the rules in your props.conf are properly applied. You might get a Splunk license violation, depending on your licensing volume - BUT if this is a one-off, it's okay. Remember that it takes 5 license violations in Splunk Enterprise for Splunk to lock-up.
HTH
Parsing line-breaks (the LINEMERGE
setting) does happen at index time. You are right, your changes will not affect historical data.
You might be able to recreate the data without re-referencing the original logs. BUT the only solution still requires re-indexing - so if you are trying to avoid re-indexing, I can't help.
Step 1 - test your new props.conf on a sample of the data - place the data in a test instance of Splunk or in a test index. Once tested, make sure that your updated props.conf is in place in your production environment.
Step 2 - If you have the original logs, locate them and copy them to some staging area that is accessible. If you DON'T have the original logs, you can search Splunk for the data and export it. Be sure to export _raw. Again, place this data in some staging area. You may need to play withe exported data to get it into the format that you want.
Step 3 - CAREFULLY delete the existing data from the Splunk indexes. Use the delete
command.
Step 4 - Using upload (batch input, not monitor input), reload all the old data into Splunk. Make sure that you assign the sourcetype properly, so that the rules in your props.conf are properly applied. You might get a Splunk license violation, depending on your licensing volume - BUT if this is a one-off, it's okay. Remember that it takes 5 license violations in Splunk Enterprise for Splunk to lock-up.
HTH