Is there anyway to apply access_combined_wcookie extraction to some historical data during search time? Some of the data was not setup correctly as access_combined_wcookie source during index time, and we want to parse it for some quick reporting.
The simplest way is with by using rename
on the old sourcetype so it pretends to be the new/fixed/correct sourcetype at search time:
https://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Renamesourcetypes
By extraction you mean field extractions form access_combined_wcookie OR other indexed time parsing (line breaking/timestamp extractions etc)?
Yes. Field extractions. Is there an easier way to reparse these data using the access_combined_wcookie transformation?