I have an index called high
with sourcetype logs
logs sourcetype is continuously indexing logs under \logs dir.
I have decided to create a new index and want to move those logs to that new index called Medium
.
I have successfully moved the events to Medium,
index="high" sourcetype=logs | collect index="Medium"
but I can't see the events with the sourcetype
index="Medium" sourcetype=logs
no events found
index="Medium"
It works and shows all the events, but not real-time logs.
And when new logs were updated under logs
sourcetype, Splunk is showing those real-time logs under index high
, not under the Medium
index.
How to show real-time events under medium
index instead of high
index with sourcetype logs
?
After the collect command, the sourcetype is changed to stash. I don't think this is the right way to move data between indexes.
First, you should modify your data input configurations (inputs.conf) on forwarders/data source to use index=Medium instead of index=High. This should make all the real-time/latest data to go to index=Medium.
Then, for moving historical data, easy option would be create an eventtype/macro which will collect data from both the indexes (high and Medium). Once all the data in index=high is retired (based on retention policy set), you can update the macro/eventtype to just use index=Medium.
OR follow method described here
https://answers.splunk.com/answers/32176/is-it-possible-to-migrate-indexed-buckets-to-a-different-in...