Archive

deleted data input file directory. Then, renamed and created a new data input directory. Ran Search but no results found

Explorer

in Splunk Enterprise version 7.2.1, Step 1. created a data input from "Files & Folders" | "New Local File & Directory" button. For example: D:\a4. Then, ran a search query from the D:\a4 contents and return results ok.
Then, realized I mis-spelled "a4" so, deleted the data input "a4" from http://localhost:8000/en-US/manager/search/data/inputs/monitor". Next, in Windows Explorer, renamed folder form "a4" to "b4" .
And repeated Step1 and pointed to D:\b4
However, after running search on the new data input directory, get no results. Checked C:\Program Files\Splunk\etc\apps\search\local\inputs.conf . And "D:\a4" is not listed. Please help me. Thanks.

0 Karma
1 Solution

Motivator

Hello @qtorque95,

Check out How Splunk Enterprise handles log file rotation.

When you or a log rotation program moves a file then Splunk recognizes that it is the same file and does not index it again.

If you really want to index that file again, then I see two options:

Option 1: Add the following line to your inputs.conf:

crcSalt = <SOURCE>

Doing so ensures that each file has a unique CRC.

(You need to restart Splunk after making changes to configuration files.)

Option 2: You remove the indexed data. Do the following on the command line:

splunk clean eventdata -index <index_name>

This will delete the indexed data and reindex any inputs. You need to stop Splunk first before issuing this command.

View solution in original post

0 Karma

Explorer

Thank you @whrg, @prakash007 for your answers. What i did to solve it:
1. in Windows server, went to Control Panel --> Services.
2. Stop and start "Splunkd Service".

0 Karma

Motivator

Hello @qtorque95,

Check out How Splunk Enterprise handles log file rotation.

When you or a log rotation program moves a file then Splunk recognizes that it is the same file and does not index it again.

If you really want to index that file again, then I see two options:

Option 1: Add the following line to your inputs.conf:

crcSalt = <SOURCE>

Doing so ensures that each file has a unique CRC.

(You need to restart Splunk after making changes to configuration files.)

Option 2: You remove the indexed data. Do the following on the command line:

splunk clean eventdata -index <index_name>

This will delete the indexed data and reindex any inputs. You need to stop Splunk first before issuing this command.

View solution in original post

0 Karma

Builder

@qtorque95 : looks like you have Splunk-enterprise installed on your local...
1.try running this command to check the inputs status of the monitor path
$SPLUNK_HOME/bin/splunk list input status
2. if you see your monitor path from the list above, you can reset the file checkpoints(splunk might be thinking the above file as a duplicate)
https://docs.splunk.com/Documentation/Splunk/7.2.1/Troubleshooting/CommandlinetoolsforusewithSupport...
read this splunk doc on How Splunk calculates CRC..
https://docs.splunk.com/Documentation/Splunk/7.2.1/Data/Howlogfilerotationishandled
3. Stop Splunk, delete fishbucket($SPLUNK_HOME/var/lib/splunk/fishbucket), and start splunk(this will reindex all files, NOT a best solution on prod boxes)

0 Karma

Explorer

thank you @prakash007 . 1. Using windows command prompt, typed, " cd C:\Program files\splunk\bin\ splunk.exe list input status ". Another dos screen opens for 2 or 3 seconds, but not able to see the contents. Even tried to send results as follows: at C:\Program Files\Splunk\bin typed (shown in quotes),
"splunk.exe list input status > inputstatus.txt " to see printed results. But got " Access Denied". I don't understand as I am logged in as Administrator.
3. Using Windows Control panel | Services, I stopped "Splunkd Service". But not sure the syntax to run the "delete" fishbucket using windows command or Windows PowerShell. ( I searched for this, but success). Thank you.

0 Karma

Contributor

Execute command below to reset fishbucket

.\splunk.exe cmd btprobe -d "C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db" --file

0 Karma