https://community.splunk.com/t5/Getting-Data-In/re-read-a-directory/m-p/59274#M96868 <P>you can add a <CODE>-sourcetype mysourcetype</CODE> flag to the commmand line above.</P> Wed, 16 Mar 2011 01:28:47 GMT gkanapathy 2011-03-16T01:28:47Z https://community.splunk.com/t5/Getting-Data-In/re-read-a-directory/m-p/59270#M96864 <P>Having some trouble with a directory monitor:</P> <P><CODE>[monitor:///usr/local/ecc_to_splunk/pickup/*.disk.*]</CODE></P> <P>This monitor loaded the data, but I deleted it (for unrelated reasons) and am having trouble getting splunk to read it again. After deleting the data in splunk using <CODE>|delete</CODE>, I removed the files from the dir, disabled then enabled the monitor, then put the same files back. </P> <P>It seems as though splunk isn't reading the files because it already has once. Is there a way to override this and force splunk to read them? Thanks.</P> Tue, 15 Mar 2011 13:14:23 GMT https://community.splunk.com/t5/Getting-Data-In/re-read-a-directory/m-p/59270#M96864 dinisco 2011-03-15T13:14:23Z https://community.splunk.com/t5/Getting-Data-In/re-read-a-directory/m-p/59271#M96865 <P>If I understand you correctly, Splunk has previously indexed the data. Even if you delete the source file(s) and then later on re-add them, I do not think Splunk will re-index them as they already existing within Splunk.</P> Tue, 15 Mar 2011 20:29:41 GMT https://community.splunk.com/t5/Getting-Data-In/re-read-a-directory/m-p/59271#M96865 netwrkr 2011-03-15T20:29:41Z https://community.splunk.com/t5/Getting-Data-In/re-read-a-directory/m-p/59272#M96866 <P>You can force Splunk to forget <EM>all</EM> file history that it has read by cleaning out the fishbucket directory (while Splunk is down) on the machine where it was read from. This probably isn't what you want. You can also have Splunk re-index a specific file using:</P> <PRE><CODE>./splunk add oneshot /usr/local/ecc_to_splunk/pickup/file1.disk.ext </CODE></PRE> <P>You can't wildcard this, you have to run this for each specific file name, though you could of course script that in the shell.</P> Tue, 15 Mar 2011 21:20:00 GMT https://community.splunk.com/t5/Getting-Data-In/re-read-a-directory/m-p/59272#M96866 gkanapathy 2011-03-15T21:20:00Z https://community.splunk.com/t5/Getting-Data-In/re-read-a-directory/m-p/59273#M96867 <P>Thanks this is exactly what I was looking for. Is there a way to set the sourcetype? I have one specifically defined for these files in tranforms.conf.</P> Tue, 15 Mar 2011 23:41:43 GMT https://community.splunk.com/t5/Getting-Data-In/re-read-a-directory/m-p/59273#M96867 dinisco 2011-03-15T23:41:43Z https://community.splunk.com/t5/Getting-Data-In/re-read-a-directory/m-p/59274#M96868 <P>you can add a <CODE>-sourcetype mysourcetype</CODE> flag to the commmand line above.</P> Wed, 16 Mar 2011 01:28:47 GMT https://community.splunk.com/t5/Getting-Data-In/re-read-a-directory/m-p/59274#M96868 gkanapathy 2011-03-16T01:28:47Z https://community.splunk.com/t5/Getting-Data-In/re-read-a-directory/m-p/59275#M96869 <P>So I had the same problem, I had <CODE>| delete</CODE>-ed a bunch of data, but then wanted to re-add to splunk. </P> <P>When using <CODE>./splunk add oneshot</CODE> all the data was added back to splunk BUT the timestamp for ALL the data was from when it was re-added, not the original modtime of the file (input is a directory with 2000+ log files). is there a way to have it re-index using the timestamp of the files?</P> Wed, 15 Jun 2011 12:41:03 GMT https://community.splunk.com/t5/Getting-Data-In/re-read-a-directory/m-p/59275#M96869 joshrabinowitz 2011-06-15T12:41:03Z https://community.splunk.com/t5/Getting-Data-In/re-read-a-directory/m-p/59276#M96870 <P>well I'm dumb, and should read things first, like putting new data into a test index to make sure it looks ok and test props.conf etc. i guess i can just make a new index and splunk should index with correct timestamps</P> Wed, 15 Jun 2011 12:57:35 GMT https://community.splunk.com/t5/Getting-Data-In/re-read-a-directory/m-p/59276#M96870 joshrabinowitz 2011-06-15T12:57:35Z