Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you reload a file?

jldebell
Path Finder
‎03-16-2015 02:37 PM

The permissions were incorrect for files being monitored. The files appeared to be indexed but they are not in Splunk. I went in and altered the file to trick the CRC Check Sum thinking it would trick the system into re-indexing the items. I get the following messages when I saved the revised files (real-time) in the _internal index:

Will begin reading at offset=0 for file=

And

group=per_source_thruput, series="/opt/splunk/*.txt", kbps=###, eps=###, kb=###, ev=###, avg_age=###, max_age=###

I am not seeing denied/failed messages. The information is still not indexing.

Please let me know if you have any suggestions.

Thanks, Jenn

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jldebell
Path Finder
‎04-08-2015 02:14 PM

The files were not able to reload because there was a TIME_FORMAT error associated. I was able to get the formatting corrected and reload the files. The error message was over a week old, but it was the root cause. I have included the link to the other question associated in case others encounter something similar.

http://answers.splunk.com/answers/224111/how-do-i-properly-describe-non-standard-datetime-f.html#ans...

Thanks again for everyone's assistance.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jldebell
Path Finder
‎04-08-2015 02:14 PM

The files were not able to reload because there was a TIME_FORMAT error associated. I was able to get the formatting corrected and reload the files. The error message was over a week old, but it was the root cause. I have included the link to the other question associated in case others encounter something similar.

http://answers.splunk.com/answers/224111/how-do-i-properly-describe-non-standard-datetime-f.html#ans...

Thanks again for everyone's assistance.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-16-2015 03:02 PM

What is your data input configuration (inputs.conf ) from the forwarder? When updating the content to trick the CRC, what portion of the file you updated, from start of file or end of file?

0 Karma
Reply
Solved! Jump to solution

jldebell
Path Finder
‎03-16-2015 03:49 PM

I altered the start of the file. I added a space initially, but it didn't work. It would not let me save it stating there were no changes. I then added | (pipes). The file updated, but did not index.

0 Karma
Reply
Solved! Jump to solution

glennpierce
Explorer
‎03-16-2015 03:01 PM

Hi Jenn,

I think this Splunk Answer may be what you're after:

http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html

Reply
Solved! Jump to solution

jldebell
Path Finder
‎03-16-2015 03:52 PM

Thanks for the reference. i was reading about the one shot and fish bucket clean up. I will see if this will work. Thanks!

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎03-16-2015 03:00 PM

Quickest way is to delete a specific file from the fishbucket (state monitoring.)

./splunk cmd btprobe -d /path/to/splunk/var/lib/splunk/fishbucket/splunk_private_db --file /full/path/to/filename.txt --reset

That will reset Splunk's internal monitor for files, and force it to reread the specific file. If you have only a hand full of files, this works easily. If you're dealing with thousands of files, then you'd want to script this as wildcards do not work.

Here is a good answers article on various methods : http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html

0 Karma
Reply
Solved! Jump to solution

jldebell
Path Finder
‎03-16-2015 03:50 PM

If I understand correctly, this will clean out the file so then I can re-index it. It won't impact other files since I am specifying which to look for. I will try this.

0 Karma
Reply
Solved! Jump to solution

jldebell
Path Finder
‎03-17-2015 01:23 PM

I tried the string, but I am getting a file path not recognized. I am in the server, drilled down to the splunk_private_db and then added the string. The first path was the splunk_private_bd and the second was the path to the file. I was able to tab and have it pull the information (auto-fill function in Unix). Which I would expect that if I tab and it auto-fills that the path exists. I am guessing it is a user error and I played around based on documentation, but I am not catching it.

In the server:
logged in as Splunk.

navigate to the /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db/ folder

add the following details:

./splunk cmd btprobe -d /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db/ --file /opt/splunk/F1/F2/text_file.TXT --reset

Error message:

-bash: ./splunk: No such file or directory

I am going to search on error messages related to the command and see if i can find anything. Please keep me posted if you see anything I missed.

Thanks, Jenn

0 Karma
Reply
Solved! Jump to solution

glennpierce
Explorer
‎03-17-2015 03:42 PM

If your using bash on a *nix based system make sure your in the $SPLUNK_HOME/bin directory before you run that command. Or add /opt/splunk/bin/splunk cmd [etc] to your command.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...