How to index by old sourcetype , after logs monito...

ramup · ‎12-31-2015

Hi,

We have below configuration:

source: <Path>/access.log
sourceType:AccessLogs
Index: AccessLog

Now, we need to create new sourceType (and also new index) as per requirement and disable old index (shouldn't monitor logs now onwards) . But, old data exists till now, needs to be searched using old sourcetype. How to configure these

Can a index/sourceType exists without any source(to Monitor )

Thanks,
Ramu

jkat54 · ‎01-01-2016

Your sourcetypes are found in your inputs.conf files or from anywhere in Splunk Web:

Splunk Filesystem
$splunk_home$/etc/{application name}/(local OR default)/inputs.conf

Splunk Web:
select System, and then select Data inputs from the Data section of the System pop-up. This takes you to a page where you can view and manage your existing inputs, as well as add new ones.

You'll just change the input for the data to point to new index and have new sourcetype.

Check this article out for more details: http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configureyourinputs

richgalloway · ‎12-31-2015

If you disable the old index you will not be able to search it.

---
If this reply helps you, Karma would be appreciated.

How to index by old sourcetype , after logs monitoring has been disabled

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!