Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I reindex data that doesn't want to be reindexed?

Adam_Marx
Explorer
‎12-06-2017 11:03 AM

I've created a watched folder loaded to successfully from it and then made some changes and deleted the data in the index (splunk clean eventdata -index yourindex -f) and removed the watched folder assuming I was effectively starting over.

I'm now trying to recreate the watched folder with the same data file(s) but splunk won't read them, it seems to identify the files as the "number of files" count is increasing on the data inputs/file directory's page but it's not indexing them.

I think somehow splunk has identified the files so as not to reindex them however now that I've cleared the index I actually want it to reindex the files.. I hope this is making sense.

Anyone know what I'm doing wrong and how to rectify?

Thanks,

0 Karma
Reply

rphillips_splk
Splunk Employee
Splunk Employee
‎12-06-2017 11:14 AM

@Adam_Marx you can clean the fishbucket to re-read the entire file , or you could also create a new file with same data but different filename and use crcSalt for that monitor input

inputs.conf
[monitor:///opt/splunkforwarder/var/logs]
index=main
crcSalt =

https://answers.splunk.com/answers/46780/reset-splunkforwarder-to-re-read-file-from-beginning.html

Reply

Adam_Marx
Explorer
‎12-06-2017 11:48 AM

Seems to be a problem with cleaning the fishbucket

C:\Program Files\Splunk\bin>splunk clean eventdata -index _fishbucket
This action will permanently erase all events from the index '_fishbucket'; it cannot be undone.
Are you sure you want to continue [y/n]? y
ERROR: Index '_fishbucket' does not exist.
0 Karma
Reply

DalJeanis
SplunkTrust
SplunkTrust
‎12-06-2017 01:49 PM

@adam_marx - I've moved your comments into the thread under the answer, to reduce confusion. If your problem has been solved, please accept the answer. Also, in general you can always feel free to upvote any answers you found particularly helpful or useful, whether or not you were the one who asked the question.

0 Karma
Reply

Adam_Marx
Explorer
‎12-06-2017 12:05 PM

splunk clean eventdata cleaned the fishbucket and others...

Thanks,

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...