Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Clear index on all indexers and re-sending all events from universal forwarders

DanneFo
Explorer
‎04-05-2018 06:26 AM

Hello

What is the recommended way to clear an index present on all our indexers and then make all the universal forwarders re-send all the events on respective Windows server?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

robgora_deloitt
Path Finder
‎04-05-2018 06:49 AM

Once you clean your Indexer, you will also have to reset your fishbucket on your Universal forwarder. Without reseting the fishbucket, you won't be able to have your server resend all the data. Easiest way to do it is to stop the Universal Forwarder and then delete the fishbucket from /Splunkforwarder/var/lib/splunk/fishbucket

You can find all the info you need for deleting the Indexes and all here:
http://docs.splunk.com/Documentation/Splunk/latest/Indexer/RemovedatafromSplunk

View solution in original post

Reply
Solved! Jump to solution
Solution

robgora_deloitt
Path Finder
‎04-05-2018 06:49 AM

Once you clean your Indexer, you will also have to reset your fishbucket on your Universal forwarder. Without reseting the fishbucket, you won't be able to have your server resend all the data. Easiest way to do it is to stop the Universal Forwarder and then delete the fishbucket from /Splunkforwarder/var/lib/splunk/fishbucket

You can find all the info you need for deleting the Indexes and all here:
http://docs.splunk.com/Documentation/Splunk/latest/Indexer/RemovedatafromSplunk

Reply
Solved! Jump to solution

p_gurav
Champion
‎04-05-2018 06:33 AM

Clean indexes in a multisite indexer cluster following these steps:
./splunk offline command on each indexer
./splunk clean eventdata
./splunk start on all indexers

This procedure worked fine for us, the master had to rebalance some stuff but didnt' had any remarkable errors or warnings and fixed all buckets as it should.

Also there is other way given here,
https://answers.splunk.com/answers/387161/official-way-to-clean-indexed-data-from-index-clus.html

Reply
Solved! Jump to solution

DanneFo
Explorer
‎04-05-2018 08:59 AM

This worked perfectly. I cannot select two answers as an "accepted answer" though 😐

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎04-05-2018 09:53 AM

Happy to help!! 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...