I know that Splunk uses CRC to determine whether the data file has been modified and will index the new inserted data.
I want to know:
1. Where does Splunk store these information? Can we move these information data as files if we deploy Splunk to another server machine?
2. What if we restart Splunk? The whole data files will be reindexed or CRC still applies so that only new inserted data will be indexed?
Thanks!
Hi -
Hope this helps.
Hi,
I had some problems with reindexing after server restart... it seems the problem was caused by the DB Inputs (using DB Connect), that refresh data after restart (even if the refresh interval was set to 10 years).
The solution was to DISABLE the static DB Inputs after indexing the tables for first time.
Regards,
Hi
splunk store the information under the fishbucket. this index will have all the details
Regards
Vinod Padarthi
Hi -
Hope this helps.