- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do I apply a new linemerge rule to historical ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to add a new linemerge rule to my props.conf. I'm currently putting it in etc/system/local/props.conf but I realize this won't work if linemerge happens at index time. Does it happen at index time or at search time? If it happens at index time can I re-index my old data without re-referencing the original logs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Parsing line-breaks (the LINEMERGE setting) does happen at index time. You are right, your changes will not affect historical data.
You might be able to recreate the data without re-referencing the original logs. BUT the only solution still requires re-indexing - so if you are trying to avoid re-indexing, I can't help.
Step 1 - test your new props.conf on a sample of the data - place the data in a test instance of Splunk or in a test index. Once tested, make sure that your updated props.conf is in place in your production environment.
Step 2 - If you have the original logs, locate them and copy them to some staging area that is accessible. If you DON'T have the original logs, you can search Splunk for the data and export it. Be sure to export _raw. Again, place this data in some staging area. You may need to play withe exported data to get it into the format that you want.
Step 3 - CAREFULLY delete the existing data from the Splunk indexes. Use the delete command.
Step 4 - Using upload (batch input, not monitor input), reload all the old data into Splunk. Make sure that you assign the sourcetype properly, so that the rules in your props.conf are properly applied. You might get a Splunk license violation, depending on your licensing volume - BUT if this is a one-off, it's okay. Remember that it takes 5 license violations in Splunk Enterprise for Splunk to lock-up.
HTH
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Parsing line-breaks (the LINEMERGE setting) does happen at index time. You are right, your changes will not affect historical data.
You might be able to recreate the data without re-referencing the original logs. BUT the only solution still requires re-indexing - so if you are trying to avoid re-indexing, I can't help.
Step 1 - test your new props.conf on a sample of the data - place the data in a test instance of Splunk or in a test index. Once tested, make sure that your updated props.conf is in place in your production environment.
Step 2 - If you have the original logs, locate them and copy them to some staging area that is accessible. If you DON'T have the original logs, you can search Splunk for the data and export it. Be sure to export _raw. Again, place this data in some staging area. You may need to play withe exported data to get it into the format that you want.
Step 3 - CAREFULLY delete the existing data from the Splunk indexes. Use the delete command.
Step 4 - Using upload (batch input, not monitor input), reload all the old data into Splunk. Make sure that you assign the sourcetype properly, so that the rules in your props.conf are properly applied. You might get a Splunk license violation, depending on your licensing volume - BUT if this is a one-off, it's okay. Remember that it takes 5 license violations in Splunk Enterprise for Splunk to lock-up.
HTH
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
