https://community.splunk.com/t5/Getting-Data-In/Reset-Splunk-Data/m-p/543199#M90696 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232316">@singhvikas</a>,</P><P>Splunk doesn't index twice a log, so the already indexed data will not be indexed again by default.</P><P>If you need to reindex them, you have to change the name of filename&nbsp;and use (as you are doing) crcSalt = &lt;SOURCE&gt; option in your input stanza.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 10 Mar 2021 13:37:36 GMT gcusello 2021-03-10T13:37:36Z https://community.splunk.com/t5/Getting-Data-In/Reset-Splunk-Data/m-p/543193#M90693 <P>Hey guys,</P><P>Let's say I have an index called test.&nbsp;</P><P>I am only ingesting EVTX by modifying the inputs.conf&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">[monitor://D:\winevt\logs\*] index = test sourcetype = preprocess-winevt crcSalt = &lt;SOURCE&gt;</LI-CODE><P>&nbsp;</P><P>Now there's an extra huge EVTX which is very slow to index and I want to just start afresh! What approach should I take?&nbsp;</P><P>I would like to -&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">splunk stop splunk clean eventdata splunk start</LI-CODE><P>&nbsp;</P><P>but would it:</P><P>1. Rest my inputs.conf? I guess no</P><P>2. If not, wouldn't it again start indexing from where I left off(given I have not changed the input and not touched the physical files)? This is what I'm seeing in my environment.&nbsp;</P><P>Thanks,</P><P>Vikas</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 10 Mar 2021 12:39:21 GMT https://community.splunk.com/t5/Getting-Data-In/Reset-Splunk-Data/m-p/543193#M90693 singhvikas 2021-03-10T12:39:21Z https://community.splunk.com/t5/Getting-Data-In/Reset-Splunk-Data/m-p/543195#M90694 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232316">@singhvikas</a>,</P><P>if you're speaking of a development index, you could also use the delete command that's faster than the other way but it doesn't delete events from the index, it only marks them as deleted.</P><P>Anyway the approach you described is the correct one but BEWARE: if you don't insert the clause "-index &lt;index_name&gt;" in the command you clean all the indexes not only the test one!!!</P><P>Ciao.</P><P>Giuseppe</P> Wed, 10 Mar 2021 12:53:32 GMT https://community.splunk.com/t5/Getting-Data-In/Reset-Splunk-Data/m-p/543195#M90694 gcusello 2021-03-10T12:53:32Z https://community.splunk.com/t5/Getting-Data-In/Reset-Splunk-Data/m-p/543196#M90695 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>Thank you for your response, I appreciate the help (and the word of caution!)&nbsp;</P><P>Umm.. just to be clear, if the data is STILL being indexed. I can&nbsp;</P><LI-CODE lang="markup">splunk stop splunk clean eventdata splunk start</LI-CODE><P>what happens when splunk starts? It will start the indexing from scratch as per my configuration here?&nbsp;</P><LI-CODE lang="markup">[monitor://D:\winevt\logs\*] index = test sourcetype = preprocess-winevt crcSalt = &lt;SOURCE&gt;</LI-CODE> Wed, 10 Mar 2021 12:56:03 GMT https://community.splunk.com/t5/Getting-Data-In/Reset-Splunk-Data/m-p/543196#M90695 singhvikas 2021-03-10T12:56:03Z https://community.splunk.com/t5/Getting-Data-In/Reset-Splunk-Data/m-p/543199#M90696 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232316">@singhvikas</a>,</P><P>Splunk doesn't index twice a log, so the already indexed data will not be indexed again by default.</P><P>If you need to reindex them, you have to change the name of filename&nbsp;and use (as you are doing) crcSalt = &lt;SOURCE&gt; option in your input stanza.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 10 Mar 2021 13:37:36 GMT https://community.splunk.com/t5/Getting-Data-In/Reset-Splunk-Data/m-p/543199#M90696 gcusello 2021-03-10T13:37:36Z