Data not found after indexing

abhayneilam · ‎12-18-2012

I had made an application called "XYX" and kept it in .../app directory, it was working fine but suddenly applied this command in search box in search application :

index="myindex_name" | delete

and then I restarted my SPLUNK tool after that when I am trying to access data through "XYX" application I dont find any data , but I have providing my data as :

[monitor://$SPLUNK_HOME\etc\apps\Abhay-SECOP\logs\ANZ*Mail*.txt]

file is there in the Directory ANZ but still I am not able to see anything ..

please help me regarding this ...

dgililo · ‎09-27-2013

We run SPLUNK in test and dev environment to test parsing logic before moved to production monitoring. so need to reset Heavy Forwarder to index from scratch once parsing logic has been updated.

On the heavy forwarder i am trying to use

$ ./splunk clean eventdata -index fishbucket This action will permanently erase all events from the index 'fishbucket'; it cannot be undone. Are you sure you want to continue [y/n]? y ERROR: Index 'fishbucket' does not exist. [ebstsf-17] /app/splunk/bin $ ./splunk clean eventdata _fishbucket This action will permanently erase all events from the index 'fishbucket'; it cannot be undone. Are you sure you want to continue [y/n]? y ERROR: Index '_fishbucket' does not exist. [ebstsf-17] /app/splunk/bin $ cd ../var/lib/

Both commands throw ERROR: Index '_fishbucket' does not exist.

please help

jonuwz · ‎12-19-2012

speak to your storage team and get them to restore /opt/splunk/var/lib/splunk/<name of the index you wiped>

you wiped your index clean

Drainy · ‎12-19-2012

I love how it "suddenly applied this command" 😉 Splunk is well known for adding the can delete role to a user and then appending the delete command to the end of a search string! Seriously though, what MuS says below is right. You'll need to do some fishbucket cleaning to get the data back again.

EDIT: Read here for more detail on the fishbucket;
http://splunk-base.splunk.com/answers/66927/no-longer-seeing-all-logs-after-clearing-index

Drainy · ‎12-19-2012

Oh and it might be an idea to remove the can delete role and only add it as and when you need it. No need to keep it on all the time, especially if accidents like this happen 🙂

Drainy · ‎12-19-2012

Have a full read of the link I pasted above, it covers this 🙂

abhayneilam · ‎12-19-2012

Hi Drainy,

I gave the following command and got this :

splunk clean eventdata _fishbucket

This action will permanently erase all events from the index '_fishbucket'; it c
annot be undone.
Are you sure you want to continue [y/n]? y
ERROR: Index '_fishbucket' does not exist.

Please let me know how to get it solved !!

MuS · ‎12-19-2012

Hi adhayneilam

index="myindex_name" | delete

this command will remove your events from index=myindex for all searches, so you will not be able to find them again. If your apps is based on that index, you will not get an event back.

read more about the delete command here

cheers,

MuS

Data not found after indexing

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation

Data not found after indexing

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!