Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Deleting an Index from the fish bucket

Dark_Ichigo
Builder
‎12-06-2011 05:30 PM

I want to find an index I created and remove it completely from Splunk, so I can re-use the same name, How can this be done?

Tags (3)
Reply

Jason
Motivator
‎01-09-2013 06:49 AM

Another way to force re-indexing of already-indexed files is to add a crcSalt to the particular input in inputs.conf. Any file that was found by the input would then get a modified hash in the fishbucket and would be re-read.

[monitor:///some/awesome/stuff]
sourcetype = best_to_have_one
blacklist = \.if_necessary$
crcSalt = readItAgain

You could run a search for | metadata type=sources index=bad to pull a list of all the files you need to find, then add a crcSalt to those input stanzas in inputs.conf.

This may help too, using btprobe: http://splunk-base.splunk.com/answers/54070/btprobe-and-re-indexing-data/66208

Reply

wrangler2x
Motivator
‎01-24-2013 01:25 PM

This worked hot-damn!

I had some syslog data that went into a wrong index. After fixing that problem, I used a command line search to get the raw records, and used the manager to create a one-time input for the file created from that. Did not index! Fishbucket! So I ran across this and created a batch input for the desired index (sinkhole type) and added the crcSalt = readItAgain and after splunk restarted the file was gone and the data was indexed where it ought to be. Excellent!

0 Karma
Reply

twkan
Splunk Employee
Splunk Employee
‎12-07-2011 07:06 AM

If you want to reindex the same files again, you can take a look at the 'oneshot' command. Another way I could think of is to install a temporary forwarder to re-index those files before forwarding them out to the current instance. Since this temporary forwarder will have a new fishbucket, it wouldn't know the files have already been indexed before and you can achieve the re-indexing without clearing the existing fishbucket on your instance.

0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎12-06-2011 07:49 PM

This will clean the ENTIRE fishbucket:

./splunk clean eventdata _thefishbucket

Not sure how to clean select or partial data from fishbucket.

Reply

parth_panchal
Splunk Employee
Splunk Employee
‎02-03-2021 09:31 PM

Hi @_d_./splunk clean eventdata _thefishbucket is wrong command it will delete all data from all indexes in Splunk instance. Please use ./splunk clean eventdata -index  _thefishbucket  to clean the fishbucket only.

 

0 Karma
Reply

wrangler2x
Motivator
‎03-27-2014 08:44 AM

There is an explanation of how to do a partial cleaning of t he fishbucket here: http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder

0 Karma
Reply

Dark_Ichigo
Builder
‎12-06-2011 07:54 PM

This is What I need, although I do not want to delete the whole fishbucket, would it be possible to use this following command to remove a particular index from the Fishbucket:

./splunk clean eventdata _fishbucket -index

If there was, this would defiantly solve a great number of issues im having!

0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎12-06-2011 07:28 PM

To remove an index, stop the splunk service and do the following from the command line:

./splunk clean eventdata -index <index_name>

Note: This will completely delete the data in the specified index and is irreversible!

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

Reply

Dark_Ichigo
Builder
‎12-06-2011 07:41 PM

Nope this isnt useful, I do need to mention that when clearing event data, I cannot re-index the same files to that index, unless I change the index name!

What I want is to Completely remove the index from Splunk!.....basically from the Fishbucket in order to re-index my logs.

So how can I do this?

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...