Knowledge Management

Splunk doesn't index csv files after cleaning events data

splunknewbie05
Explorer

I have my own test servers
a) universal forwarder
b) indexer

I push the large csv files (containing around 30 to 40k events) through universal forwarder with source_type=csv.
Splunk indexer was happily indexing csv files pushed from universal forwarder
I wanted to clean up all the events in indexer and did the following
a) splunk stop
b) splunk clean eventdata
c) splunk start

After I ran the above commands to clean the event data and now push the csv files again, splunk doesn't see them or index them.

Its kind of annoying.

Any thoughts on why splunk would stop indexing csv files?

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

You can do 1 of 3 things:
1: Clear the fishbucket
2: Modify the contents of the file slightly (add a carriage return at the top).
3: Add crcSalt= and change the filename.

See most of the particulars here:
http://answers.splunk.com/answers/46780/reset-splunkforwarder-to-re-read-file-from-beginning.html

View solution in original post

0 Karma

woodcock
Esteemed Legend

You can do 1 of 3 things:
1: Clear the fishbucket
2: Modify the contents of the file slightly (add a carriage return at the top).
3: Add crcSalt= and change the filename.

See most of the particulars here:
http://answers.splunk.com/answers/46780/reset-splunkforwarder-to-re-read-file-from-beginning.html

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...