Getting Data In

After renaming a sourcetype, why is it only being applied to new data and not already indexed data?

OMohi
Path Finder

Hi Guys:

I have renamed a sourcetype, but after renaming the sourcetype and recycling the indexers, I only see new data being allocated to the new sourcetype. Historical data still seems to be allocated to the old sourcetype.

How do I address this problem? Do I need to clean all the eventdata from index on the indexer, stop Universal Forwarder, delete the fishbucket folder, start the indexer, and restart the forwarder? Please let me know.

Thanks

Tags (2)
0 Karma
1 Solution

tskinnerivsec
Contributor

sourcetype is an indexed field, so when you change to a new sourcetype, it will not apply to any historical events. If you don't care about your old data, you can just clear all the eventdata in the index where that particular historical data resides. After you clear the eventdata out of the index, if you still have the source data, you would have to re-index it and it should pick up the new sourcetype that you have configured.

View solution in original post

tskinnerivsec
Contributor

sourcetype is an indexed field, so when you change to a new sourcetype, it will not apply to any historical events. If you don't care about your old data, you can just clear all the eventdata in the index where that particular historical data resides. After you clear the eventdata out of the index, if you still have the source data, you would have to re-index it and it should pick up the new sourcetype that you have configured.

bmacias84
Champion

tskinnerivsec is correct. _time, host,index, splunk_server, sourcetype, and source are all fields performed during ingestion (index time).

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...