Solved: Splunk doesn't index csv files after cleaning eve...

splunknewbie05 · ‎04-29-2015

I have my own test servers
a) universal forwarder
b) indexer

I push the large csv files (containing around 30 to 40k events) through universal forwarder with source_type=csv.
Splunk indexer was happily indexing csv files pushed from universal forwarder
I wanted to clean up all the events in indexer and did the following
a) splunk stop
b) splunk clean eventdata
c) splunk start

After I ran the above commands to clean the event data and now push the csv files again, splunk doesn't see them or index them.

Its kind of annoying.

Any thoughts on why splunk would stop indexing csv files?

woodcock · ‎04-29-2015

You can do 1 of 3 things:
1: Clear the fishbucket
2: Modify the contents of the file slightly (add a carriage return at the top).
3: Add crcSalt= and change the filename.

See most of the particulars here:
http://answers.splunk.com/answers/46780/reset-splunkforwarder-to-re-read-file-from-beginning.html

View solution in original post

woodcock · ‎04-29-2015

You can do 1 of 3 things:
1: Clear the fishbucket
2: Modify the contents of the file slightly (add a carriage return at the top).
3: Add crcSalt= and change the filename.

See most of the particulars here:
http://answers.splunk.com/answers/46780/reset-splunkforwarder-to-re-read-file-from-beginning.html

Splunk doesn't index csv files after cleaning events data

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!