Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I reindex data that doesn't want to be reindexed?

Adam_Marx
Explorer
‎12-06-2017 11:03 AM

I've created a watched folder loaded to successfully from it and then made some changes and deleted the data in the index (splunk clean eventdata -index yourindex -f) and removed the watched folder assuming I was effectively starting over.

I'm now trying to recreate the watched folder with the same data file(s) but splunk won't read them, it seems to identify the files as the "number of files" count is increasing on the data inputs/file directory's page but it's not indexing them.

I think somehow splunk has identified the files so as not to reindex them however now that I've cleared the index I actually want it to reindex the files.. I hope this is making sense.

Anyone know what I'm doing wrong and how to rectify?

Thanks,

0 Karma
Reply

rphillips_splk
Splunk Employee
Splunk Employee
‎12-06-2017 11:14 AM

@Adam_Marx you can clean the fishbucket to re-read the entire file , or you could also create a new file with same data but different filename and use crcSalt for that monitor input

inputs.conf
[monitor:///opt/splunkforwarder/var/logs]
index=main
crcSalt =

https://answers.splunk.com/answers/46780/reset-splunkforwarder-to-re-read-file-from-beginning.html

Reply

Adam_Marx
Explorer
‎12-06-2017 11:48 AM

Seems to be a problem with cleaning the fishbucket

C:\Program Files\Splunk\bin>splunk clean eventdata -index _fishbucket
This action will permanently erase all events from the index '_fishbucket'; it cannot be undone.
Are you sure you want to continue [y/n]? y
ERROR: Index '_fishbucket' does not exist.
0 Karma
Reply

DalJeanis
Legend
‎12-06-2017 01:49 PM

@adam_marx - I've moved your comments into the thread under the answer, to reduce confusion. If your problem has been solved, please accept the answer. Also, in general you can always feel free to upvote any answers you found particularly helpful or useful, whether or not you were the one who asked the question.

0 Karma
Reply

Adam_Marx
Explorer
‎12-06-2017 12:05 PM

splunk clean eventdata cleaned the fishbucket and others...

Thanks,

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...