Deleting an Index from the fish bucket

Dark_Ichigo · ‎12-06-2011

I want to find an index I created and remove it completely from Splunk, so I can re-use the same name, How can this be done?

Jason · ‎01-09-2013

Another way to force re-indexing of already-indexed files is to add a crcSalt to the particular input in inputs.conf. Any file that was found by the input would then get a modified hash in the fishbucket and would be re-read.

[monitor:///some/awesome/stuff]
sourcetype = best_to_have_one
blacklist = \.if_necessary$
crcSalt = readItAgain

You could run a search for | metadata type=sources index=bad to pull a list of all the files you need to find, then add a crcSalt to those input stanzas in inputs.conf.

This may help too, using btprobe: http://splunk-base.splunk.com/answers/54070/btprobe-and-re-indexing-data/66208

wrangler2x · ‎01-24-2013

This worked hot-damn!

I had some syslog data that went into a wrong index. After fixing that problem, I used a command line search to get the raw records, and used the manager to create a one-time input for the file created from that. Did not index! Fishbucket! So I ran across this and created a batch input for the desired index (sinkhole type) and added the crcSalt = readItAgain and after splunk restarted the file was gone and the data was indexed where it ought to be. Excellent!

twkan · ‎12-07-2011

If you want to reindex the same files again, you can take a look at the 'oneshot' command. Another way I could think of is to install a temporary forwarder to re-index those files before forwarding them out to the current instance. Since this temporary forwarder will have a new fishbucket, it wouldn't know the files have already been indexed before and you can achieve the re-indexing without clearing the existing fishbucket on your instance.

_d_ · ‎12-06-2011

This will clean the ENTIRE fishbucket:

./splunk clean eventdata _thefishbucket

Not sure how to clean select or partial data from fishbucket.

parth_panchal · ‎02-03-2021

Hi @_d_, ./splunk clean eventdata _thefishbucket is wrong command it will delete all data from all indexes in Splunk instance. Please use ./splunk clean eventdata -index _thefishbucket to clean the fishbucket only.

wrangler2x · ‎03-27-2014

There is an explanation of how to do a partial cleaning of t he fishbucket here: http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder

Dark_Ichigo · ‎12-06-2011

This is What I need, although I do not want to delete the whole fishbucket, would it be possible to use this following command to remove a particular index from the Fishbucket:

./splunk clean eventdata _fishbucket -index

If there was, this would defiantly solve a great number of issues im having!

_d_ · ‎12-06-2011

To remove an index, stop the splunk service and do the following from the command line:

./splunk clean eventdata -index <index_name>

Note: This will completely delete the data in the specified index and is irreversible!

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

Dark_Ichigo · ‎12-06-2011

Nope this isnt useful, I do need to mention that when clearing event data, I cannot re-index the same files to that index, unless I change the index name!

What I want is to Completely remove the index from Splunk!.....basically from the Fishbucket in order to re-index my logs.

So how can I do this?

Deleting an Index from the fish bucket

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation