Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

For a clean installation of a Splunk forwarder, how do we retain a previous forwarder's search history to not reindex what was monitored?

usup_rajbahak
Path Finder
‎04-29-2016 02:22 PM

Hey there,

If we were to do a clean install of a Splunk forwarder (rip out previous version of forwarder), is there a way to retain/backup the previous forwarder's search information/history (CRC information??), so that the new forwarder will not re-index all of the log files from the directory the previous forwarder was monitoring?

We do not want to do an in place upgrade of the forwarder, but rip of the old version and install a newer version of the forwarder, without having to re-index all of the log files the old forwarder would have already processed. Or, is this information (the crc) saved in the indexer?

Thanks for your time.
Usup

Reply

petercow
Path Finder
‎04-29-2016 05:43 PM

Splunk keeps track of what was already indexed in the 'fishbucket' directory, $splunkforwarder$/var/log/splunk/fishbucket

If you upgrade by installing 'on top' of your existing forwarder, its contents will be preserved, so no re-indexing will take place.

0 Karma
Reply

usup_rajbahak
Path Finder
‎05-02-2016 09:45 AM

thanks petercow..

I understand that doing in place upgrade will retain the settings, but we wanted to do a clean install, and maintain the indexing information where/if possible. Is it then safe to assume that restoring the fishbucket folder would do the trick?

Thanks again

0 Karma
Reply

petercow
Path Finder
‎05-02-2016 11:33 AM

Not sure, but probably. 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...