Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I re-index all the data in my environment?

jradkowskiAAMC
Explorer
‎05-25-2010 08:44 PM

I have a datacenter with a single Splunk server indexing data from all the local servers. I just updated all the sourcetypes for the data and would like to reindex the data so the sourcetypes are properly set this time. How can I accomplish this?

Tags (2)
Reply

carasso
Splunk Employee
Splunk Employee
‎01-03-2011 11:17 PM

If you just want to change the sourcetype names, for search-time settings, you don't need to reindex any data! You can just use a sourcetype alias.

      http://answers.splunk.com/questions/4940/sourcetype-aliasing

Only if you need different timestamps and linebreaking do you really need to reindex.

Reply

Genti
Splunk Employee
Splunk Employee
‎05-25-2010 11:06 PM

Note 3. This action will permanently erase all indexed event data, user information, global data, and internal logs; it cannot be undone.

Index data User info (including changed passwords) and users Global data Internal logs All of the above get removed, so make sure you want to do that before you hit "Enter/return"

Note 4. Im not sure why it didnt work for you, but ./splunk clean eventdata seems to work very well for me...

Reply

eashwar
Communicator
‎04-12-2013 11:52 PM

hello in the above answer clean all is only mentioned for forwarders. i hope forwarder will not have index data, users.
if i am wrong please let me know.

0 Karma
Reply

jradkowskiAAMC
Explorer
‎05-25-2010 08:47 PM

Do the following steps:

1) Disable the applications on the servers with Forwarders using the Deployment manager (or manually do so using the GUI)

2) On the Index server, stop Splunk and clean all event data for a given index: /opt/splunk/bin/splunk stop /opt/splunk/bin/splunk clean eventdata dev_tools

3) On the servers with Splunk Forwarders, stop and clean all: /opt/splunk/bin/splunk stop /opt/splunk/bin/splunk clean all

4) Start the Splunk Indexer /opt/splunk/bin/splunk start

5) Verify the index you just cleared is empty and is staying empty before proceeding. If it isn't staying empty ensure you've disabled the applications on the servers with Splunk Forwarders and make sure you didn't overlook any servers.

6) Start the Splunk forwarder servers: /opt/splunk/bin/splunk start

6) Re-enable the applications via the Deployment Manager or manually using the Agents GUI.

Note: Be aware, if you "clean all" on the forwarders you will also clear out the pointers for all indexes and applications so this process is only good to completely re-index an environment environment or set of indexes a set of servers and indexer may contain.

Note 2: Don't do this unless your license (and hardware) can handle the spike as you will most certainly index a lot of legacy data if your inputs are setup with wildcard inputs.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...