Solved: How to undelete a input source

splukUP · ‎09-08-2010

I have a log file that was |delete'd from the index using search. I want the file back in the index. I did several steps of adding and removing the file as a Splunk input and restarting the machine's splunk. It just won't come back. Is there an easy way to |undelete?

gkanapathy · ‎09-08-2010

There is no way to undelete the data. If you still have the original data, you can reindex the file with the Splunk oneshot command, examples http://answers.splunk.com/questions/684/after-fixing-props-conf-how-to-re-index-the-same-files-using... and sort-of docs: http://www.splunk.com/base/Documentation/4.1.4/Admin/CLIadmincommands

Splunk normally remembers files it has already seen and won't reindex them (even if you rename them) but oneshot bypasses this mechanism.

View solution in original post

gkanapathy · ‎09-08-2010

There is no way to undelete the data. If you still have the original data, you can reindex the file with the Splunk oneshot command, examples http://answers.splunk.com/questions/684/after-fixing-props-conf-how-to-re-index-the-same-files-using... and sort-of docs: http://www.splunk.com/base/Documentation/4.1.4/Admin/CLIadmincommands

Splunk normally remembers files it has already seen and won't reindex them (even if you rename them) but oneshot bypasses this mechanism.

How to undelete a input source

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...