This would be a very trivial question, but what are the circumstances when splunk re-indexes new data? Replacing an existing inputs.conf with another inputs.conf shouldnt actually re-index data, but incase I need to perform a re-indexing, then would it be by clearing the data and then restarting splunk services?
Thanks,
im assuming that you do not just want to re-index the data and have duplicates in.
If what you would like to do is clean all of your existing data, and then re-indexing it all up again then you can do the following:
./splunk stop
./splunk clean eventdata index_name
./splunk start
For more info on this go here
Cheers,
.gz
im assuming that you do not just want to re-index the data and have duplicates in.
If what you would like to do is clean all of your existing data, and then re-indexing it all up again then you can do the following:
./splunk stop
./splunk clean eventdata index_name
./splunk start
For more info on this go here
Cheers,
.gz
replacing inputs.conf (and restarting the server) will only make the new data that comes in obey the rules in the new inputs.conf. The data that is originally there will not be reindexed and it will not change to obey the new rules. For reindexing you will need to use the clean command, or perhaps use crcSalt
Alright, I was wondering to replace our existing inputs.conf with the same copy of inputs.conf but with some modifications/flags like sourcetype/hostname etc...
If it is the same exact inputs.conf then no, you should see no other data. If you add some other monitor stanza or any other flags in the inputs.conf (such as crcSalt) the you might see more data/duplicates
So replacing inputs.conf from existing locations shouldnt cause duplicate data right?