Re: How do I force a universal forwarder to reinde...

daniel333 · ‎06-13-2016

All,

Is there a way to make a Universal Forwarder reindex all its inputs?

thanks
-Daniel

MuS · ‎06-13-2016

Hi daniel333,

btool is used to view or validate Splunk config files.
Probably btprobe was meant in the previous answer, which enables you to remove fish bucket information for a specific file.
Easiest way to re-index all inputs on a universal forwarder is to delete the fish bucket index while Splunk UF is stopped:

 $SPLUNK_HOME/bin/splunk stop
 rm -rf $SPLUNK_HOME/var/lib/splunk/fishbucket
 $SPLUNK_HOME/bin/splunk start

Splunk will re-create the fish bucket index and immediately re-index all the inputs on your universal forwarder, so watch out for your license usage 😉

cheers, MuS

ddrillic · ‎06-13-2016

A sensational explanation at How to reindex data from a forwarder

vpassaro · ‎01-16-2019

404 -- not found

woodcock · ‎06-13-2016

Reset the fishbucket with btprobe:

http://docs.splunk.com/Documentation/Splunk/6.4.1/Troubleshooting/CommandlinetoolsforusewithSupport

spl_unker · ‎02-24-2022

is there a way to clear fishbucket without reindexing? In one of the old UF , fishbucket file has occupied complete disk space and i need to clear the file to run Splunk again.

How do I force a universal forwarder to reindex all its inputs?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation