Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to reindex old data residing in one index into a new index?

Bliide
Path Finder
‎01-28-2015 07:21 AM

I corrected an error in an index where data was being consumed by 2 indexes. I created a new index (IndexB) and the data is being gathered correctly now. The new index has all the data in the log files after the creation of the index but it did not get the data that was already indexed in another index (IndexA). I need to pull the old log files into the new index. How do I tell the new index to gather all the old data from the log files?

Tags (2)
0 Karma
Reply

chanfoli
Builder
‎01-28-2015 07:32 AM

I think a good approach is to use oneshot to index your log files with the correct options. See the following for more info:

http://docs.splunk.com/Documentation/Storm/Storm/User/CLIcommandsforinput

More hints, and other approach here:

http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html

Reply

aakwah
Builder
‎01-28-2015 07:27 AM

You need to reprocess the old files by moving them to the new monitored directory but the issue now is that splunk forwarder will not index them because they are already processed, so you have 2 solutions to reprocess old files:

 -Splunk forwarder keep track of processed files through fishbucket directory "/opt/splunkforwarder/var/lib/splunk/fishbucket/", so if you remove all the contents of fishbucket directory splunk will process again all files under monitored directories which will process the required files to the new index "IndexB", but this also will cause duplicates because all files will be processed, so you should move all processed files to archive directory to not be processed again.

 -Second solution is make small edit on files you want to process by adding newline or space for example, as splunk will check the checksum of the file to identify if the file is processed or not, unfortunately changing file name is not enough.

Hope this answer your questions, please let me know if you still have issues.

Regards,
Ahmed

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...