Getting Data In

Is it possible to retroactively split logs by deleting the universal forwarder off the server, then reinstall it with props.conf changes?

skoelpin
SplunkTrust
SplunkTrust

I have about 10 million events in one index and my manager wants me to split them up differently than they currently are. So I went into the props.conf and wrote some regex to correctly split the logs. Now I want to have those logs split retroactively from the first event.

My question.. Would this be possible if I were to delete the forwarder off the server then re-install the forwarder with the changes in my props.conf?

0 Karma
1 Solution

woodcock
Esteemed Legend

Yes, the easiest way is to uninstall and then reinstall Splunk on the forwarder and that will do it. You also need to delete the data that is currently in your indexers like this:

index=myIndex | delete

Yes, I know that doesn't really delete it but for his purposes, it is fine.
If you would like something a bit quicker and less radical, you can search the subject "cleaning the fishbucket" and do that on your forwarder to cause it to forget that it has ever forwarded anything.

View solution in original post

woodcock
Esteemed Legend

Yes, the easiest way is to uninstall and then reinstall Splunk on the forwarder and that will do it. You also need to delete the data that is currently in your indexers like this:

index=myIndex | delete

Yes, I know that doesn't really delete it but for his purposes, it is fine.
If you would like something a bit quicker and less radical, you can search the subject "cleaning the fishbucket" and do that on your forwarder to cause it to forget that it has ever forwarded anything.

skoelpin
SplunkTrust
SplunkTrust

Excellent explanation!

0 Karma

matthieu_araman
Communicator

hello,

I would use another index for testing (or make a backup)
it's not clear where the data came from
if it's from files on the uf which are still there, then no need to reinstall
you can stop splunk uf, remove the fishbucket directory and restart the uf and splunk will start from scratch
see http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html

skoelpin
SplunkTrust
SplunkTrust

Thanks for the info. That link was very helpful!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...