How do I force a universal forwarder to reindex al...

daniel333 · ‎06-13-2016

All,

Is there a way to make a Universal Forwarder reindex all its inputs?

thanks
-Daniel

MuS · ‎06-13-2016

Hi daniel333,

btool is used to view or validate Splunk config files.
Probably btprobe was meant in the previous answer, which enables you to remove fish bucket information for a specific file.
Easiest way to re-index all inputs on a universal forwarder is to delete the fish bucket index while Splunk UF is stopped:

 $SPLUNK_HOME/bin/splunk stop
 rm -rf $SPLUNK_HOME/var/lib/splunk/fishbucket
 $SPLUNK_HOME/bin/splunk start

Splunk will re-create the fish bucket index and immediately re-index all the inputs on your universal forwarder, so watch out for your license usage 😉

cheers, MuS

ddrillic · ‎06-13-2016

A sensational explanation at How to reindex data from a forwarder

vpassaro · ‎01-16-2019

404 -- not found

woodcock · ‎06-13-2016

Reset the fishbucket with btprobe:

http://docs.splunk.com/Documentation/Splunk/6.4.1/Troubleshooting/CommandlinetoolsforusewithSupport

spl_unker · ‎02-24-2022

is there a way to clear fishbucket without reindexing? In one of the old UF , fishbucket file has occupied complete disk space and i need to clear the file to run Splunk again.

How do I force a universal forwarder to reindex all its inputs?

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability

Introducing the Splunk Community Dashboard Challenge!