Unable to re-index all data

Deecie · ‎04-17-2012

I'm trying to re-index some old data now that I've changed what index it goes into and

The data comes in from a UF that monitors two files.

These are the steps I took:

Stopped the forwarder
Ran this on the indexer:

* | DELETE

ran this on the forwarder; my understanding is that it should clear the _fishbucket index:

splunk clean all

made my config changes
started the forwarder

I'm now seeing data come correctly into the new index with the new source types, but there's no retrospective data - only new incoming data. Anyone know what I might be doing wrong?

neelamssantosh · ‎09-17-2014

We can re-index the data by modifying first line of the log file with some comments.
eg: #Re-index
so that crcSalt doen't match with other files and it re-indexes your data.

Hope it can help you.
All the best

cramasta · ‎04-18-2012

does each event in your log file have a timestamp?

Deecie · ‎04-18-2012

Unfortunately not. All the data I index has the indexing date as its time stamp. I've tried setting up a props.conf entry to specify the timestamp format for this sourcetype but it had no effect.

araitz · ‎04-18-2012

Did your resolution for your other issue solve this problem as well?

Deecie · ‎04-18-2012

Yep, every line.

Unable to re-index all data

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability