https://community.splunk.com/t5/Splunk-Search/Searching-fishbucket/m-p/26382#M177657 <P>There is a tool to selectively forgot a single file from the fishbucket</P> <P><CODE>./splunk cmd btprobe -d $SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db --file $FILE --reset</CODE></P> <P>see options for btprobe</P> <P>`</P> <P>There are 2 possible ways to invoke this tool:</P> <PRE><CODE> 1: btprobe [-h or --help] -d &lt;btree directory&gt; [-k &lt;hex key OR ALL&gt; | --file &lt;filename&gt;] [--salt &lt;salt&gt;] [--validate] [--reset] [--bytes &lt;bytes&gt;] Queries the specified BTree for the given key or file. -d Directory that contains the btree index. (Required) -k Hex crc key or ALL to get all the keys. --file File to compute the crc from. (One of -k and --file must be specified. --validate Validate the btree to look for errors. --salt Salt the crc if --file param is specified. --reset Reset the fishbucket for the given key or file in the btree. --bytes Number of bytes to read when calculating CRC (default 256). 2: btprobe [-h or --help] --compute-crc &lt;filename&gt; [--salt &lt;salt&gt;] [--bytes &lt;bytes&gt;] Computes a crc from the specified file (using the given salt if any). Examples: btprobe -d /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db -k 0xe8d117ddba85e714 --validate btprobe -d /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db --file /var/log/inputfile --salt SOME_SALT btprobe --compute-crc /var/log/inputfile --salt SOME_SALT </CODE></PRE> <P>`</P> Wed, 07 Aug 2013 00:47:33 GMT yannK 2013-08-07T00:47:33Z https://community.splunk.com/t5/Splunk-Search/Searching-fishbucket/m-p/26379#M177654 <P>I'm trying to figure out how to analyze and manage specific records in the _fishbucket index. </P> <P>I have big directories with many files splunk is monitoring, and our only method for reindexing right now is either cleaning the _fishbucket or adding crcSalts, both not very good for most use cases.</P> <P>I want to be able to handle specific records in the _fishbucket - looking at this old blog post (<A href="http://blogs.splunk.com/2008/08/14/what-is-this-fishbucket-thing/">what-is-this-fishbucket-thing</A>) - it starts off by saying </P> <PRE><CODE> To see what’s there, try searching for “index=_thefishbucket” </CODE></PRE> <P><STRONG>This simply doesn't work. And I want to also be able to delete specific records.</STRONG></P> <P>What's up with this? something changed since this blog post?</P> Tue, 06 Aug 2013 14:50:09 GMT https://community.splunk.com/t5/Splunk-Search/Searching-fishbucket/m-p/26379#M177654 pembleton 2013-08-06T14:50:09Z https://community.splunk.com/t5/Splunk-Search/Searching-fishbucket/m-p/26380#M177655 <P>Yes, something changed since 2008! In fact, Andrea added a footnote to the end of the article in 2010: "Note that this old post only applies to 3.x versions"</P> <P>Splunk no longer lets you look at the fishbucket index. You cannot manage the specific records. The format is not published and the files are kept in binary.</P> <HR /> <P>Thanks for the update. I guess I am a bit behind on the cool tools! Although it is still true that you can't just go editing or viewing the fishbucket!</P> <P>Here is a <A href="http://docs.splunk.com/Documentation/Splunk/5.0.3/Troubleshooting/CommandlinetoolsforusewithSupport">link</A> to the relevant section in the Troubleshooting Manual.</P> Tue, 06 Aug 2013 19:26:03 GMT https://community.splunk.com/t5/Splunk-Search/Searching-fishbucket/m-p/26380#M177655 lguinn2 2013-08-06T19:26:03Z https://community.splunk.com/t5/Splunk-Search/Searching-fishbucket/m-p/26381#M177656 <P>Are you wanting to delete certain records so that Splunk will (re-)index the files?</P> <P>Note that you can issue <CODE>splunk add oneshot</CODE> from the command line to prompt Splunk to index any file without regard for the fishbucket.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/MonitorfilesanddirectoriesusingtheCLI">http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/MonitorfilesanddirectoriesusingtheCLI</A></P> Tue, 06 Aug 2013 19:42:10 GMT https://community.splunk.com/t5/Splunk-Search/Searching-fishbucket/m-p/26381#M177656 sowings 2013-08-06T19:42:10Z https://community.splunk.com/t5/Splunk-Search/Searching-fishbucket/m-p/26382#M177657 <P>There is a tool to selectively forgot a single file from the fishbucket</P> <P><CODE>./splunk cmd btprobe -d $SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db --file $FILE --reset</CODE></P> <P>see options for btprobe</P> <P>`</P> <P>There are 2 possible ways to invoke this tool:</P> <PRE><CODE> 1: btprobe [-h or --help] -d &lt;btree directory&gt; [-k &lt;hex key OR ALL&gt; | --file &lt;filename&gt;] [--salt &lt;salt&gt;] [--validate] [--reset] [--bytes &lt;bytes&gt;] Queries the specified BTree for the given key or file. -d Directory that contains the btree index. (Required) -k Hex crc key or ALL to get all the keys. --file File to compute the crc from. (One of -k and --file must be specified. --validate Validate the btree to look for errors. --salt Salt the crc if --file param is specified. --reset Reset the fishbucket for the given key or file in the btree. --bytes Number of bytes to read when calculating CRC (default 256). 2: btprobe [-h or --help] --compute-crc &lt;filename&gt; [--salt &lt;salt&gt;] [--bytes &lt;bytes&gt;] Computes a crc from the specified file (using the given salt if any). Examples: btprobe -d /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db -k 0xe8d117ddba85e714 --validate btprobe -d /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db --file /var/log/inputfile --salt SOME_SALT btprobe --compute-crc /var/log/inputfile --salt SOME_SALT </CODE></PRE> <P>`</P> Wed, 07 Aug 2013 00:47:33 GMT https://community.splunk.com/t5/Splunk-Search/Searching-fishbucket/m-p/26382#M177657 yannK 2013-08-07T00:47:33Z