Solved: changing the source type in splunk

kteng2024 · ‎02-12-2017

Hi,

what happens if we change the source type of already existing data . For example , i have a monitor stanza like

[monitor: //export/apache/web]
index=xyz
sourcetype=apache_web_log

if the data from this sourcetype is already been indexed and if i change the sourcetype to " web_logs" . will the indexed data will be changed as per new sourcetype . Can i also know what are the disadvantages of changing the source type once it is already been set ?

skoelpin · ‎02-12-2017

It will change the sourcetype to only the newly indexed data, it will not take affect retroactively.. Fields are relative to your sourcetype so you will lose all fields associated with your previous sourcetype. This will break any reports, alerts, or dashboards you may have that rely on that field.

If it's a dire need to change the sourcetype, you should then create new fields relative to your new sourcetype, update your new sourcetype, ...| delete the old sourcetype data from Splunk Web and reindex the old data by clearing the fishbucket on the forwarders.. How much previous data do you have under that old sourcetype? How fast do your buckets roll to frozen?

Worst case you can duplicate the fields to the new sourcetype and forego the removing and reindexing of new data.. You could then let the old sourcetype data roll into frozen if your ok with having 2 sourcetypes over the same type of data for a bit

View solution in original post

woodcock · ‎03-25-2017

You might be better off using rename. This allows you to use either the new one as sourcetype and the original one as _sourcetype:

https://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Data/Renamesourcetypes

skoelpin · ‎02-12-2017

It will change the sourcetype to only the newly indexed data, it will not take affect retroactively.. Fields are relative to your sourcetype so you will lose all fields associated with your previous sourcetype. This will break any reports, alerts, or dashboards you may have that rely on that field.

If it's a dire need to change the sourcetype, you should then create new fields relative to your new sourcetype, update your new sourcetype, ...| delete the old sourcetype data from Splunk Web and reindex the old data by clearing the fishbucket on the forwarders.. How much previous data do you have under that old sourcetype? How fast do your buckets roll to frozen?

Worst case you can duplicate the fields to the new sourcetype and forego the removing and reindexing of new data.. You could then let the old sourcetype data roll into frozen if your ok with having 2 sourcetypes over the same type of data for a bit

richgalloway · ‎02-12-2017

Changing a config only affects newly-indexed data. Already-indexed data is not and cannot be changed.

One disadvantage to changing sourcetypes is your data will have two different sourcetypes associated with it (apache_web_log for the old data and web_logs for the new data) until the old data ages out. That means your dashboards will have to search for both sourcetypes.

---
If this reply helps you, Karma would be appreciated.

nickhills · ‎02-12-2017

Although you could use a sourcetype rename to convert you old sourcetype name to match the new version (or do the inverse - make the new name look like the old)

In any case as @richgalloway notes, you will have to update your searches, but if you had bad names first time round, it may be worth the small pain.

If my comment helps, please give it a thumbs up!

changing the source type in splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM