Using Splunk 6.3.1, 1 search head, 4 indexers, 1 UF.
I have ALOT of data that got put into the wrong index. We have to segregate our data into different indexes based on the value of a specific field. If the field is not present (or doesn't match one of the transforms), the data is put into an "error" index. Everything was working perfectly, until someone upstream from me changed the values of the field without telling me. Now I have data in the error index that should not be there. What is the easiest way to get the raw data back out and re-index it correctly. (I'm not worried about the cost of re-indexing, and can |delete the data from the error index after it is moved to the correct index).
The original data was in json format. I tried using the dump command `index=foo field=value | dump basefilename=20160510-wrongidx format=raw fields=_raw`. This command tried to generate a dump file for every source (which there were millioins), so the search kept dying. I narrowed it down to jus a day's worth and got output, but it wasn't in a format i can easily use.
Is there a better approach? What would you guys recommend?
↧