Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Rebuilding index level .data files

vbumgarner
Contributor
‎05-11-2011 09:43 AM

On a healthy index, these two queries return the same value, or at least very similar, since the value is changing as data is indexed:

 |metadata type=sourcetypes | stats sum(totalCount)
 |dbinspect | stats sum(eventCount)

metadata seems to use the files at

*/db/*.data

dbinspect seems to use the files one level down at

*/db/*/*.data

I believe the rebuild command can be used to rebuild the .data on a bucket by bucket basis. Is there a similar command for rebuilding the .data files at the index level, the .data files just inside db?

Tags (3)
0 Karma
Reply

Simeon
Splunk Employee
Splunk Employee
‎05-12-2011 04:37 PM

This is NOT supported, but should work...

  1. Create a "meta.dirty" file in the root directory of the index you want to rebuild.
  2. Restart splunk.
0 Karma
Reply

vbumgarner
Contributor
‎05-18-2011 07:26 AM

An answer I was given off-board was to move the *.data files at the index level aside and restart. This seems to rebuild those files from the *.data files in the buckets themselves.

It would be nice to have a simple way to rebuild all counts, in all buckets and at the index level.

0 Karma
Reply

DUThibault
Contributor
‎11-07-2017 07:43 AM

The "root directory of the index" is e.g. $SPLUNK_DB/defaultdb/db/ ($SPLUNK_DB/defaultdb/ will NOT work). With Splunk 7, meta.dirty is deleted from db/ upon restart but the index is not rebuilt.

I found the following method on https://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html (dating back to 2013):
1) # splunk stop
2) # splunk clean eventdata -index main
This sort of worked, except older data did not get re-indexed. My horizon shrunk from several days to about 5 hours. It ended up easier to remove the data sources (which were directories under surveillance anyway) and add them back in.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...