Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I re-index all the data in my environment?

jradkowskiAAMC
Explorer
‎05-25-2010 08:44 PM

I have a datacenter with a single Splunk server indexing data from all the local servers. I just updated all the sourcetypes for the data and would like to reindex the data so the sourcetypes are properly set this time. How can I accomplish this?

Tags (2)
Reply

carasso
Splunk Employee
Splunk Employee
‎01-03-2011 11:17 PM

If you just want to change the sourcetype names, for search-time settings, you don't need to reindex any data! You can just use a sourcetype alias.

      http://answers.splunk.com/questions/4940/sourcetype-aliasing

Only if you need different timestamps and linebreaking do you really need to reindex.

Reply

Genti
Splunk Employee
Splunk Employee
‎05-25-2010 11:06 PM

Note 3. This action will permanently erase all indexed event data, user information, global data, and internal logs; it cannot be undone.

Index data User info (including changed passwords) and users Global data Internal logs All of the above get removed, so make sure you want to do that before you hit "Enter/return"

Note 4. Im not sure why it didnt work for you, but ./splunk clean eventdata seems to work very well for me...

Reply

eashwar
Communicator
‎04-12-2013 11:52 PM

hello in the above answer clean all is only mentioned for forwarders. i hope forwarder will not have index data, users.
if i am wrong please let me know.

0 Karma
Reply

jradkowskiAAMC
Explorer
‎05-25-2010 08:47 PM

Do the following steps:

1) Disable the applications on the servers with Forwarders using the Deployment manager (or manually do so using the GUI)

2) On the Index server, stop Splunk and clean all event data for a given index: /opt/splunk/bin/splunk stop /opt/splunk/bin/splunk clean eventdata dev_tools

3) On the servers with Splunk Forwarders, stop and clean all: /opt/splunk/bin/splunk stop /opt/splunk/bin/splunk clean all

4) Start the Splunk Indexer /opt/splunk/bin/splunk start

5) Verify the index you just cleared is empty and is staying empty before proceeding. If it isn't staying empty ensure you've disabled the applications on the servers with Splunk Forwarders and make sure you didn't overlook any servers.

6) Start the Splunk forwarder servers: /opt/splunk/bin/splunk start

6) Re-enable the applications via the Deployment Manager or manually using the Agents GUI.

Note: Be aware, if you "clean all" on the forwarders you will also clear out the pointers for all indexes and applications so this process is only good to completely re-index an environment environment or set of indexes a set of servers and indexer may contain.

Note 2: Don't do this unless your license (and hardware) can handle the spike as you will most certainly index a lot of legacy data if your inputs are setup with wildcard inputs.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...