How to decode which file being tracked in fishbuck...

Getting Data In

Hello,

I have an universal forwarder configured to watch a file using the inputs.conf(crcSalt=<SOURCE>). This works perfect, but I need to test sending the same file over and over again by prodding the local fishbucket instance to "forget" the file being monitored.

Unfortunately when I run the btprobe command, I get file not found.

btprobe -d /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db --file /path/to/somefile --reset

I did a btool list input status, and the correct file shows up.

I then did a compute crc with the salt set to "/path/to/somefile" and used that in the btprobe command earlier and still doesn't work.

btprobe --compute-crc /path/to/somefile --salt "/path/to/somefile"

I used the results of the above command and did this and still found nothing.

splunk cmd btprobe -d $SPLUNK_DB/fishbucket/splunk_private_db -k ALL | egrep 0x34a86c35e2c71990

Can somebody point me in the right direction to get around this issue?

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

Are you a member of the Splunk Community?