Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Re-send data with universal forwarder?

kevintelford
Path Finder
‎04-06-2011 08:31 PM

When using a lightweight-forwarder we were able to clean the fishbucket (eventdata) so that we could re-forward data. Trying this on the new universal forwarder yields the message "ERROR: Cleaning eventdata is not supported on this version." Is there a new way to do this?

Thanks, Kevin

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

amrit
Splunk Employee
Splunk Employee
‎04-07-2011 02:34 AM

There is currently no command that will clean only the fishbucket (this is a bug, lack of foresight, something). You should file an ER for this, but in the meantime you can just wipe the contents of $SPLUNK_DB/var/lib/splunk/fishbucket/ .

View solution in original post

Reply
Solved! Jump to solution

cervelli
Splunk Employee
Splunk Employee
‎07-20-2011 11:27 AM

The clean all command works for removing the fishbucket on a UF. Is there a reason you can't issue that command?

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-28-2012 04:49 PM

cervelli said clean all. not clean eventdata.

0 Karma
Reply
Solved! Jump to solution

ferenc0521
New Member
‎05-24-2018 02:21 PM

clean all removed all user data, including admin. I cannot add admin back, because it requires authorization.
catch 22

0 Karma
Reply
Solved! Jump to solution

ferenc0521
New Member
‎05-24-2018 02:50 PM

so tried clean all, but didn't see the files/events resent, moreover the admin user is gone, so
can't check with:
https://:8089/services/admin/inputstatus/TailingProcessor:FileStatus
because no auth with admin is possible.

I guess reinstall/config is next step

0 Karma
Reply
Solved! Jump to solution

tonopahtaos
Path Finder
‎08-02-2012 02:32 PM

Here is why:

C:\Program Files\SplunkUniversalForwarder\bin>splunk clean eventdata
This action will permanently erase all events from ALL indexes; it cannot be und
one.
Are you sure you want to continue [y/n]? y
ERROR: Cleaning eventdata is not supported on this version.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-20-2011 01:19 PM

I don't know his problem, but I guess this would wipe/reset the user/password data, wouldn't it?

Reply
Solved! Jump to solution
Solution

amrit
Splunk Employee
Splunk Employee
‎04-07-2011 02:34 AM

There is currently no command that will clean only the fishbucket (this is a bug, lack of foresight, something). You should file an ER for this, but in the meantime you can just wipe the contents of $SPLUNK_DB/var/lib/splunk/fishbucket/ .

Reply
Solved! Jump to solution

tonopahtaos
Path Finder
‎08-02-2012 02:17 PM

This did not work for me. When UF was running, i got a error when I wiped out the content of 'fishbucket'. I have to stop UF first, then remove all under 'fishbucket'. After restarting UF, i did not see any admon or Windows audit event resent.

0 Karma
Reply
Solved! Jump to solution

amrit
Splunk Employee
Splunk Employee
‎04-08-2011 05:16 PM

You want a cookie?

Reply
Solved! Jump to solution

kevin_telford
New Member
‎07-15-2015 11:41 AM

Four plus years and still no cookie. Hopefully you don't treat all the ladies this way.

0 Karma
Reply
Solved! Jump to solution

kevintelford
Path Finder
‎04-07-2011 03:51 PM

Submitted: Case # 57213

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...