https://community.splunk.com/t5/Getting-Data-In/re-index-windows-event-logs/m-p/138986#M28573 <P>Hi bjoernjensen,</P> <P>there is another option for <CODE>crcSalt</CODE> which is very useful - <EM>funny this is not in the docs?!?</EM></P> <P>you can use the <CODE>crcSalt = REINDEXMEPLEASE</CODE> option in any <CODE>inputs.conf</CODE> stanza to get this input re-indexed. <BR /> Add it to the stanz, restart the forwarder and let it do the work. After that, don't forget to remove the entry again .... </P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Mon, 09 Feb 2015 14:40:12 GMT MuS 2015-02-09T14:40:12Z https://community.splunk.com/t5/Getting-Data-In/re-index-windows-event-logs/m-p/138985#M28572 <P>I would like to force the re-indexing of events in a local Windows Event Log channel, let's say "Security". I have tried to use crcSalt (inputs.conf) but it had no effect on the Windows Event Log events. How can I do this?</P> Mon, 09 Feb 2015 14:07:41 GMT https://community.splunk.com/t5/Getting-Data-In/re-index-windows-event-logs/m-p/138985#M28572 bjoernjensen 2015-02-09T14:07:41Z https://community.splunk.com/t5/Getting-Data-In/re-index-windows-event-logs/m-p/138986#M28573 <P>Hi bjoernjensen,</P> <P>there is another option for <CODE>crcSalt</CODE> which is very useful - <EM>funny this is not in the docs?!?</EM></P> <P>you can use the <CODE>crcSalt = REINDEXMEPLEASE</CODE> option in any <CODE>inputs.conf</CODE> stanza to get this input re-indexed. <BR /> Add it to the stanz, restart the forwarder and let it do the work. After that, don't forget to remove the entry again .... </P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Mon, 09 Feb 2015 14:40:12 GMT https://community.splunk.com/t5/Getting-Data-In/re-index-windows-event-logs/m-p/138986#M28573 MuS 2015-02-09T14:40:12Z https://community.splunk.com/t5/Getting-Data-In/re-index-windows-event-logs/m-p/138987#M28574 <P>Hi MuS,</P> <P>I just tested it without success.</P> <P>Remember that crcSalt is being added to the hash of the first x bytes of a file being monitored to decide . Where x is equal to initCrcLength (inputs.conf default is 256). <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/Inputsconf">inputs.conf</A></P> <P>I am running Splunk 6.2.0. Furthermore I am indexing on the Splunk machine (local Windows Event Logs).</P> <P>Any ideas?</P> Mon, 09 Feb 2015 15:24:57 GMT https://community.splunk.com/t5/Getting-Data-In/re-index-windows-event-logs/m-p/138987#M28574 bjoernjensen 2015-02-09T15:24:57Z https://community.splunk.com/t5/Getting-Data-In/re-index-windows-event-logs/m-p/138988#M28575 <P>the <CODE>REINDEXMEPLEASE</CODE> worked so far for me, never had troubles. Take a look at this post about cleaning the <CODE>_fishbucket</CODE> <A href="http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html">http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html</A> this applies to an indexer and an universal forwarder.</P> Mon, 09 Feb 2015 15:34:19 GMT https://community.splunk.com/t5/Getting-Data-In/re-index-windows-event-logs/m-p/138988#M28575 MuS 2015-02-09T15:34:19Z https://community.splunk.com/t5/Getting-Data-In/re-index-windows-event-logs/m-p/138989#M28576 <P>This could work once for a file I want to re-index. But I am looking on Windows Event Logs here. AFAIK handeling for this kind of pointer is done differently. From 2011 I found this post: <A href="http://answers.splunk.com/answers/30006/how-do-i-trigger-the-re-indexing-of-events-from-a-locally-collected-windows-event-log-channel.html">Link</A></P> <P>Unfortunately these checkpoint files do not exist on my system / any more.</P> <P>All the best - Bjoern</P> Mon, 09 Feb 2015 15:45:51 GMT https://community.splunk.com/t5/Getting-Data-In/re-index-windows-event-logs/m-p/138989#M28576 bjoernjensen 2015-02-09T15:45:51Z