I have my own test servers
a) universal forwarder
b) indexer
I push the large csv files (containing around 30 to 40k events) through universal forwarder with source_type=csv.
Splunk indexer was happily indexing csv files pushed from universal forwarder
I wanted to clean up all the events in indexer and did the following
a) splunk stop
b) splunk clean eventdata
c) splunk start
After I ran the above commands to clean the event data and now push the csv files again, splunk doesn't see them or index them.
Its kind of annoying.
Any thoughts on why splunk would stop indexing csv files?
You can do 1 of 3 things:
1: Clear the fishbucket
2: Modify the contents of the file slightly (add a carriage return at the top).
3: Add crcSalt= and change the filename.
See most of the particulars here:
http://answers.splunk.com/answers/46780/reset-splunkforwarder-to-re-read-file-from-beginning.html
You can do 1 of 3 things:
1: Clear the fishbucket
2: Modify the contents of the file slightly (add a carriage return at the top).
3: Add crcSalt= and change the filename.
See most of the particulars here:
http://answers.splunk.com/answers/46780/reset-splunkforwarder-to-re-read-file-from-beginning.html