When using a lightweight-forwarder we were able to clean the fishbucket (eventdata) so that we could re-forward data. Trying this on the new universal forwarder yields the message "ERROR: Cleaning eventdata is not supported on this version." Is there a new way to do this?
There is currently no command that will clean only the fishbucket (this is a bug, lack of foresight, something). You should file an ER for this, but in the meantime you can just wipe the contents of $SPLUNK_DB/var/lib/splunk/fishbucket/ .
C:\Program Files\SplunkUniversalForwarder\bin>splunk clean eventdata
This action will permanently erase all events from ALL indexes; it cannot be und
one.
Are you sure you want to continue [y/n]? y
ERROR: Cleaning eventdata is not supported on this version.
There is currently no command that will clean only the fishbucket (this is a bug, lack of foresight, something). You should file an ER for this, but in the meantime you can just wipe the contents of $SPLUNK_DB/var/lib/splunk/fishbucket/ .
This did not work for me. When UF was running, i got a error when I wiped out the content of 'fishbucket'. I have to stop UF first, then remove all under 'fishbucket'. After restarting UF, i did not see any admon or Windows audit event resent.
