I have a Splunk DB Connect v3 input that is doing a "rising column" style input. How can I reset the input so it will reindex the same rows from the database for testing purposes? This would be analogous to removing the fishbucket subdirectory when trying to reindex a monitored file directory.
There are two ways to reset the rising column:
Reset the value in the file itself
Path:
$SPLUNK_HOME/var/lib/splunk/modinputs/server/splunk_app_db_connect folder/YourInputName
Change the most recent entry (tail):
{"value":"842150477","appVersion":"3.1.1","columnType":-5,"timestamp":"2017-09-2 6T13:18:09.175+10:00"}
to {"value":"0","appVersion":"3.1.1","columnType":-5,"timestamp":"2017-09-2 6T13:18:09.175+10:00"}
(you may increase the time aswell)
There are two ways to reset the rising column:
Reset the value in the file itself
Path:
$SPLUNK_HOME/var/lib/splunk/modinputs/server/splunk_app_db_connect folder/YourInputName
Change the most recent entry (tail):
{"value":"842150477","appVersion":"3.1.1","columnType":-5,"timestamp":"2017-09-2 6T13:18:09.175+10:00"}
to {"value":"0","appVersion":"3.1.1","columnType":-5,"timestamp":"2017-09-2 6T13:18:09.175+10:00"}
(you may increase the time aswell)
Small correction on the path of rising column file... it is at: $SPLUNK_DB/modinputs/server/splunk_app_db_connect folder/YourInputName
by default, $SPLUNK_DB points to $SPLUNK_HOME/var/lib/splunk
by default, $SPLUNK_HOME points to /opt/splunk
.....but not always.
By the way, you can change the path of $SPLUNK_DB variable in your splunk-launch.conf file
@pmalcakdoj, our paths point to the same directory.. yours is just shorter
When splunk releases newer version, I backup/archive the entire $SPLUNK_HOME path before I perform the upgrade. The size of that archive gets out of hand rather quickly if you don't change your $SPLUNK_DB path. With default settings, you will be zipping up all of your indexes every time you do this since indexes are located inside the $SPLUNK_HOME by default.
I pointed my $SPLUNK_DB to be outside of splunk installation. This has several benefits:
- my $SPLUNK_HOME zip files are 700MB (as opposed to several TB due to size of my indexes)
- you can store your indexes on separate mount point (HDD for OS, SSD for splunk indexes)
- you can have indexes at the root of the partition instead of buried many folders deep (on Windows, path length is limited)
Your path will not work for people that have changed the $SPLUNK_DB location.
Mine is more accurate
You can manipulate the Checkpoint Value from Web or CLI (in the corresponding inputs.conf) and set it to a lower value from where you want to reindex your data.
Cheers!