I have a csv file that I am monitoring with the props.conf for the sourcetype associated with this file with the parameter CHECK_METHOD = modtime set. This works well, but I occasionally have a scenario where I need to get the fishbucket to "forget" the file being monitored. I tried the usual procedure using btprobe and reset $SPLUNK_HOME/bin/splunk cmd btprobe -d $SPLUNK_DB/var/lib/splunk/fishbucket/splunk_private_db/ --file < full path of somefile.csv> --reset btprobe says it is unable to find the file. I further went down this rabbit hole and tried to find the hash of the file in question, but once again no luck. $SPLUNK_HOME/bin/splunk cmd btprobe --compute-crc < full path of somefile.csv> Using logging configuration at /opt/splunkforwarder/etc/log-cmdline.cfg. crc=0x5db5b08c29b4b08d decimal=6752497332353544333 I used the crc and tried to grep for it $SPLUNK_HOME/bin/splunk cmd btprobe -d $SPLUNK_DB/var/lib/splunk/fishbucket/splunk_private_db/ -k ALL | egrep 0x5db5b08c29b4b08d $SPLUNK_HOME/bin/splunk cmd btprobe --compute-crc < full path of somefile.csv> -salt < full path of somefile.csv> Using logging configuration at /opt/splunkforwarder/etc/log-cmdline.cfg. crc=0xa5cb29c8fe9d6ace decimal=11946688379772299982 I used the crc and tried to grep for it $SPLUNK_HOME/bin/splunk cmd btprobe -d $SPLUNK_DB/var/lib/splunk/fishbucket/splunk_private_db/ -k ALL | egrep 0xa5cb29c8fe9d6ace I tried this too, I *know* the splunkforwarder is monitoring the file, as btools & inputslist and monitor etc are all showing the file, what am I missing? Any help is greatly appreciated. I am really stumped here.
... View more