Getting Data In

How to update an existing index for a file, id the file is updated with new fields/attributes

patelya
New Member

Hi,

I Have a CSV file with some values that i am forwarding to my indexer and for this file, events and indexes are already created. Now my CSV file was updated and some new fields were added like userId. My Question is that the newly added fields will automatically be indexed, if not Is there a way to update the index so that it can have events with newly added fields. i didnt find anything in the Indexers.conf file

0 Karma

woodcock
Esteemed Legend

If you are using INDEXED_EXTRACTIONS and the header line of your CSV then it will be fine. Otherwise, you will have to update your props.conf. settings.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The data once indexed can't be updated, so only option would be to get that file re-indexed (Assuming it's getting indexed when you say you're forwarding to indexer). So whether re-indexing will happen depends upon how it's been forwarded (being monitored or batched or was one time upload) and where the changes are made (how far in the file, from start, the change occurred). If you can include more information on file forwarding method and file updates, we may be able to give you proper suggestions.

0 Karma

patelya
New Member

Hi somesoni2,

Thanks for replying , Yes the file is getting indexed after forwarding it to indexer and i am doing a one time upload. I have say 10 records in my CSV file with 5 values. Now from 11th record onwards the file will have 2 more values for each record .

Thanks
Yaju

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

The answer is, most likely you need to modify props.conf.

It probably looks something like this:

[mysourcetypecsv]
FIELD_DELIMITER=,
FIELD_NAMES=myfield1,myfield2,myfield3,myfield4

Here's a good reference that shows how to do it if the fields might sometimes be present and sometimes not....

https://answers.splunk.com/answers/206240/best-way-to-index-csv-files-with-some-common-field.html

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...