Getting Data In

Promoting new source from test index

davidbann
Explorer

I'm adding a new input (UNC directory) and due to previous lessons learned, I took from best practice and sent events to a sandbox index while I fine tuned source types etc. Now I'm happy with the config and want to move the input to my "Production" index.

Other than modifying the source config to point to the new index, what do I need to do to have all the existing files reindexed to the new index? Previous attempts have only sent new events to the new index, Splunk seems to be avoiding duplicates, even across two indexes.

There is existing data in the new index that I don;t want to disturb, the sandbox index can be blown away if that matters.

Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Splunk does not avoid duplicates, but it does avoid re-reading file data it's already read (a fine distinction). To force Splunk to re-index the files, you'll need to erase the "bookmarks" for those files. Use the btprobe command for that. Splunk must be stopped before running btprobe.

splunk stop
splunk btprobe -d $SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db --file <filename> --reset 
splunk start
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...