https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-retroactively-split-logs-by-deleting-the/m-p/176792#M35470 <P>Excellent explanation! </P> Tue, 30 Jun 2015 15:32:45 GMT skoelpin 2015-06-30T15:32:45Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-retroactively-split-logs-by-deleting-the/m-p/176789#M35467 <P>I have about 10 million events in one index and my manager wants me to split them up differently than they currently are. So I went into the props.conf and wrote some regex to correctly split the logs. Now I want to have those logs split retroactively from the first event. </P> <P>My question.. Would this be possible if I were to delete the forwarder off the server then re-install the forwarder with the changes in my props.conf? </P> Thu, 25 Jun 2015 20:07:33 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-retroactively-split-logs-by-deleting-the/m-p/176789#M35467 skoelpin 2015-06-25T20:07:33Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-retroactively-split-logs-by-deleting-the/m-p/176790#M35468 <P>hello,</P> <P>I would use another index for testing (or make a backup)<BR /> it's not clear where the data came from<BR /> if it's from files on the uf which are still there, then no need to reinstall<BR /> you can stop splunk uf, remove the fishbucket directory and restart the uf and splunk will start from scratch<BR /> see <A href="http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html">http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html</A></P> Thu, 25 Jun 2015 20:30:03 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-retroactively-split-logs-by-deleting-the/m-p/176790#M35468 matthieu_araman 2015-06-25T20:30:03Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-retroactively-split-logs-by-deleting-the/m-p/176791#M35469 <P>Yes, the <EM>easiest</EM> way is to uninstall and then reinstall Splunk on the forwarder and that will do it. You also need to <CODE>delete</CODE> the data that is currently in your indexers like this:</P> <PRE><CODE>index=myIndex | delete </CODE></PRE> <P>Yes, I know that doesn't <EM>really</EM> delete it but for his purposes, it is fine.<BR /> If you would like something a bit quicker and less radical, you can search the subject "cleaning the fishbucket" and do that on your forwarder to cause it to forget that it has ever forwarded anything.</P> Fri, 26 Jun 2015 03:20:23 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-retroactively-split-logs-by-deleting-the/m-p/176791#M35469 woodcock 2015-06-26T03:20:23Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-retroactively-split-logs-by-deleting-the/m-p/176792#M35470 <P>Excellent explanation! </P> Tue, 30 Jun 2015 15:32:45 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-retroactively-split-logs-by-deleting-the/m-p/176792#M35470 skoelpin 2015-06-30T15:32:45Z https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-retroactively-split-logs-by-deleting-the/m-p/176793#M35471 <P>Thanks for the info. That link was very helpful! </P> Tue, 30 Jun 2015 15:33:16 GMT https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-retroactively-split-logs-by-deleting-the/m-p/176793#M35471 skoelpin 2015-06-30T15:33:16Z