For a clean installation of a Splunk forwarder, ho...

usup_rajbahak · ‎04-29-2016

Hey there,

If we were to do a clean install of a Splunk forwarder (rip out previous version of forwarder), is there a way to retain/backup the previous forwarder's search information/history (CRC information??), so that the new forwarder will not re-index all of the log files from the directory the previous forwarder was monitoring?

We do not want to do an in place upgrade of the forwarder, but rip of the old version and install a newer version of the forwarder, without having to re-index all of the log files the old forwarder would have already processed. Or, is this information (the crc) saved in the indexer?

Thanks for your time.
Usup

petercow · ‎04-29-2016

Splunk keeps track of what was already indexed in the 'fishbucket' directory, $splunkforwarder$/var/log/splunk/fishbucket

If you upgrade by installing 'on top' of your existing forwarder, its contents will be preserved, so no re-indexing will take place.

usup_rajbahak · ‎05-02-2016

thanks petercow..

I understand that doing in place upgrade will retain the settings, but we wanted to do a clean install, and maintain the indexing information where/if possible. Is it then safe to assume that restoring the fishbucket folder would do the trick?

Thanks again

petercow · ‎05-02-2016

Not sure, but probably. 🙂

For a clean installation of a Splunk forwarder, how do we retain a previous forwarder's search history to not reindex what was monitored?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?