Solved: Splunk doesn't index csv files after cleaning eve...

splunknewbie05 · ‎04-29-2015

I have my own test servers
a) universal forwarder
b) indexer

I push the large csv files (containing around 30 to 40k events) through universal forwarder with source_type=csv.
Splunk indexer was happily indexing csv files pushed from universal forwarder
I wanted to clean up all the events in indexer and did the following
a) splunk stop
b) splunk clean eventdata
c) splunk start

After I ran the above commands to clean the event data and now push the csv files again, splunk doesn't see them or index them.

Its kind of annoying.

Any thoughts on why splunk would stop indexing csv files?

woodcock · ‎04-29-2015

You can do 1 of 3 things:
1: Clear the fishbucket
2: Modify the contents of the file slightly (add a carriage return at the top).
3: Add crcSalt= and change the filename.

See most of the particulars here:
http://answers.splunk.com/answers/46780/reset-splunkforwarder-to-re-read-file-from-beginning.html

View solution in original post

woodcock · ‎04-29-2015

You can do 1 of 3 things:
1: Clear the fishbucket
2: Modify the contents of the file slightly (add a carriage return at the top).
3: Add crcSalt= and change the filename.

See most of the particulars here:
http://answers.splunk.com/answers/46780/reset-splunkforwarder-to-re-read-file-from-beginning.html

Splunk doesn't index csv files after cleaning events data

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?