Reindex a file on 3000 machines

daniel333 · ‎01-11-2019

All,

I indexed a 30-line config file off all our Linux hosts. But accidentally used the wrong source-type and index. So I deleted the delete with | delete. Now I need to reindex the file now that I have the correct inputs.conf configured. I thought it would as simple as adding

crcsalt= and I'd be set. But it's not working. Any ideas?

martin_mueller · ‎01-11-2019

You can change the init CRC length in your inputs.conf, that will invalidate all fishbucket entries you previously had.

martin_mueller · ‎01-12-2019

A 30-line config file should be long enough for a 256b CRC - that's just eight byte per line.

Note, configuration keys are case sensitive. Make sure you used crcSalt and initCrcLength as specified in inputs.conf.

gjanders · ‎01-12-2019

if you just want to ingest this file once off than perhaps oneshot? As per https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorfilesanddirectoriesusingtheCLI

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

daniel333 · ‎01-11-2019

Tried this with no luck. I suspect since this file is very tiny that the CRC init might not play a factor but I am honestly not sure. Any other tricks?

Reindex a file on 3000 machines

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...