re-index windows event logs

bjoernjensen · ‎02-09-2015

I would like to force the re-indexing of events in a local Windows Event Log channel, let's say "Security". I have tried to use crcSalt (inputs.conf) but it had no effect on the Windows Event Log events. How can I do this?

MuS · ‎02-09-2015

Hi bjoernjensen,

there is another option for crcSalt which is very useful - funny this is not in the docs?!?

you can use the crcSalt = REINDEXMEPLEASE option in any inputs.conf stanza to get this input re-indexed.
Add it to the stanz, restart the forwarder and let it do the work. After that, don't forget to remove the entry again ....

Hope this helps ...

cheers, MuS

bjoernjensen · ‎02-09-2015

Hi MuS,

I just tested it without success.

Remember that crcSalt is being added to the hash of the first x bytes of a file being monitored to decide . Where x is equal to initCrcLength (inputs.conf default is 256). inputs.conf

I am running Splunk 6.2.0. Furthermore I am indexing on the Splunk machine (local Windows Event Logs).

Any ideas?

MuS · ‎02-09-2015

the REINDEXMEPLEASE worked so far for me, never had troubles. Take a look at this post about cleaning the _fishbucket http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html this applies to an indexer and an universal forwarder.

bjoernjensen · ‎02-09-2015

This could work once for a file I want to re-index. But I am looking on Windows Event Logs here. AFAIK handeling for this kind of pointer is done differently. From 2011 I found this post: Link

Unfortunately these checkpoint files do not exist on my system / any more.

All the best - Bjoern

re-index windows event logs

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life