Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I ran |delete on data. Why won't the forwarder resend?

matstap
Communicator
‎02-01-2019 10:23 AM

I ran |delete on some data (oops!). How do I get the universal forwarder to send the data to the indexers again?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

matstap
Communicator
‎02-01-2019 12:11 PM

I stopped the forwarder, installed another universal forwarder and configured inputs.conf to monitor only the files I ran |delete on and that worked. I then uninstalled the new forwarder and restarted the old one.
I didn't want to clear the fishbucket because I didn't want ALL of the data to be re-ingested and for some reason the forwarder to forget the specific files wasn't working for me.
Maybe not the best solution, but it worked.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

matstap
Communicator
‎02-01-2019 12:11 PM

I stopped the forwarder, installed another universal forwarder and configured inputs.conf to monitor only the files I ran |delete on and that worked. I then uninstalled the new forwarder and restarted the old one.
I didn't want to clear the fishbucket because I didn't want ALL of the data to be re-ingested and for some reason the forwarder to forget the specific files wasn't working for me.
Maybe not the best solution, but it worked.

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-01-2019 10:27 AM

Look at the answer on this page: https://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html (look at the second section). It is an excellent write-up of what you need to know.

This is probably what you need:

  • on a forwarder by removing the folder $SPLUNK_HOME/var/lib/splunk/fishbucket

or selectively forgot a single file from the fishbucket

  • splunk cmd btprobe -d $SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db --file $FILE --reset

good luck

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎02-01-2019 10:26 AM

You need to clear the fishbucket out on the forwarder so it see's it as data it hasn't indexed yet. Option B would be to open the files and insert a single character near the top so it tricks the forwarder into thinking its a new file

https://www.splunk.com/blog/2008/08/14/what-is-this-fishbucket-thing.html

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...