Solved: Re: Use btprobe reset to re-index multiple files

MedralaG · ‎05-27-2017

I have the following files that are being monitored on a server with a universal forwarder.
/var/log/www1/secure.log
/var/log/www1/access.log
/var/log/www2/secure.log
/var/log/www2/access.log

Is there a way to use wildcards to get btprobe to reset and reindex the content of those files.
Keep in mind that the /var/log/ directory has other subfolders that are being monitored that I don't want to reset those, so purging the fishbucket folder is out of question.

woodcock · ‎05-28-2017

Even if wildcards worked (there's no indication that they do), it would be too risky to use them; just do this from shell in bash:

for file in /var/log/www1/secure.log /var/log/www1/access.log /var/log/www2/secure.log /var/log/www2/access.log
do
    echo resetting $file...
    $SPLUNK_HOME/bin/splunk cmd btprobe -d  $SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db  --file $file --reset
done

View solution in original post

woodcock · ‎05-28-2017

Even if wildcards worked (there's no indication that they do), it would be too risky to use them; just do this from shell in bash:

for file in /var/log/www1/secure.log /var/log/www1/access.log /var/log/www2/secure.log /var/log/www2/access.log
do
    echo resetting $file...
    $SPLUNK_HOME/bin/splunk cmd btprobe -d  $SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db  --file $file --reset
done

Use btprobe reset to re-index multiple files

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk