Solved: Installation of Splunk again and again.

msona · ‎02-18-2011

Dear All,

I am new to Splunk, So while doing changes in input.conf or props.conf etc. the changes are not taking place unless and untill. I reinstall the splunk. Is there any other method ?

Your help is appreciated..

Hajime · ‎02-21-2011

Hello. How about it? (using CLI)

Stop Splunk:

./splunk stop

Remove unnecessary data from indexes: (This example removes all data from all indexes.)

./splunk clean all -f

Restart Splunk:

./splunk restart

View solution in original post

lguinn2 · ‎05-20-2011

As "rotten" mentioned, once the data has been indexed, it cannot be changed. However, some things are not stored in the index. Those things can be changed as you wish. Below are the basics; look in the documentation for more details.

Changes to inputs.conf change how all new data will be indexed. These changes do not affect data that has already been indexed. If you want these changes to apply to all data, you will need to use the splunk clean command, as was shown in one of the other answers.

Changes to props.conf may change how data is indexed:

Setting the source, sourcetype or host - these affect how the data is indexed. Therefore, this is the same as changes to inputs.conf.
Defining field extractions - field definitions are not indexed; fields are built during the search process. These changes do not require that you restart Splunk. Any changes that you make to field extractions will apply to all data, regardless of when it was indexed. (BTW, you can do "index time field extractions" but don't. Use the normal, search-time field extractions - this is what Splunk recommends.)

If you are new to Splunk, I suggest that you use the web interface (the Splunk Manager) to set up your inputs, and the interactive field extractor to set up your fields. One of the nice things about using the Splunk web interface is that it will tell you if you need to restart Splunk.

Hajime · ‎02-21-2011

Hello. How about it? (using CLI)

Stop Splunk:

./splunk stop

Remove unnecessary data from indexes: (This example removes all data from all indexes.)

./splunk clean all -f

Restart Splunk:

./splunk restart

msona · ‎02-22-2011

Thank you very much

gkanapathy · ‎02-18-2011

You mean restart, not reinstall, right?

rotten · ‎02-18-2011

You can pull in changes to props.conf with the not-so-intuitive search command (as admin):

* | extract reload=true

I think you only need to search a short time-window (like 5 minutes) for this to cause props.conf to be reloaded.

rotten · ‎02-21-2011

Once the data is indexed it is written in stone. Re-reading the props.conf applies to future events.

msona · ‎02-21-2011

its short time data like 1 day. But Can splunk changes the data which was already indexed before ?? after changes in props.conf.
For example: Splunk taking some unnesessary field values from csv header. I wanna remove that. I am doing changes in conf files but changes taking place after reinstall the splunk.

vaijpc · ‎02-18-2011

Have you tried just restarting splunk?

$SPLUNK_HOME$/bin> splunk resart

msona · ‎02-21-2011

yes, tried but not working.
I think the problem is, splunk already index the fields and can not delete the indexed data, if I change somthing input.conf or props.conf

Installation of Splunk again and again.

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk