Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to retroactively split logs by deleting the universal forwarder off the server, then reinstall it with props.conf changes?

skoelpin
SplunkTrust
SplunkTrust
‎06-25-2015 01:07 PM

I have about 10 million events in one index and my manager wants me to split them up differently than they currently are. So I went into the props.conf and wrote some regex to correctly split the logs. Now I want to have those logs split retroactively from the first event.

My question.. Would this be possible if I were to delete the forwarder off the server then re-install the forwarder with the changes in my props.conf?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-25-2015 08:20 PM

Yes, the easiest way is to uninstall and then reinstall Splunk on the forwarder and that will do it. You also need to delete the data that is currently in your indexers like this:

index=myIndex | delete

Yes, I know that doesn't really delete it but for his purposes, it is fine.
If you would like something a bit quicker and less radical, you can search the subject "cleaning the fishbucket" and do that on your forwarder to cause it to forget that it has ever forwarded anything.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-25-2015 08:20 PM

Yes, the easiest way is to uninstall and then reinstall Splunk on the forwarder and that will do it. You also need to delete the data that is currently in your indexers like this:

index=myIndex | delete

Yes, I know that doesn't really delete it but for his purposes, it is fine.
If you would like something a bit quicker and less radical, you can search the subject "cleaning the fishbucket" and do that on your forwarder to cause it to forget that it has ever forwarded anything.

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎06-30-2015 08:32 AM

Excellent explanation!

0 Karma
Reply
Solved! Jump to solution

matthieu_araman
Communicator
‎06-25-2015 01:30 PM

hello,

I would use another index for testing (or make a backup)
it's not clear where the data came from
if it's from files on the uf which are still there, then no need to reinstall
you can stop splunk uf, remove the fishbucket directory and restart the uf and splunk will start from scratch
see http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎06-30-2015 08:33 AM

Thanks for the info. That link was very helpful!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...