Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

forwarding existing events

Michael
Contributor
‎05-09-2014 12:35 PM

Think I'm having duh-moment... I thought I could configure a new instance of Splunk, set it to receive, then configure my existing main-indexer to forward to it, and have it send everything it knows to the new instance -- essentially making a backup of the existing database and creating a hot-backup kind of setup. Well, I did all that, and events are flowing from the main to the "backup", but existing events are not (only new ones that are coming in). Everything appears configured correctly, and it's working; hence the 'duh' moment -- was I wrong when I thought it would forward everything it has? A conceptual error on my part?

~embarrassed to ask...

Yes, I know about the brute-force method of backups with flushing, copying, restarting...

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎05-09-2014 06:32 PM

To make the forwarder resend everything it has, you can reset the fishbucket on the forwarder. The "fishbucket" is where Splunk stores all the data about the files it is monitoring. To do that, just stop Splunk on the forwarder (no need to stop the indexers) and then find the fishbucket directory - usually it is under $SPLUNK_HOME/var/lib/splunk. Remove the fishbucket directory and all subdirectories. Restart the forwarder, and it will start from the beginning of all files that it is monitoring. (It will create a new fishbucket when it restarts.)

Of course, the Splunk forwarder can't resend any temporal data like the results of script executions or any network inputs, so be careful about that!

Reply

Michael
Contributor
‎05-12-2014 09:04 AM

Egads! Using Splunk for five years now; I totally forgot about the fishbucket...

Thanks!

0 Karma
Reply

linu1988
Champion
‎05-09-2014 01:28 PM

not really embarrassing it wont forward any existing indexed data. You could copy them over to the new server and append the new events from now on..

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...