Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to retroactively split logs by deleting the universal forwarder off the server, then reinstall it with props.conf changes?

skoelpin
SplunkTrust
SplunkTrust
‎06-25-2015 01:07 PM

I have about 10 million events in one index and my manager wants me to split them up differently than they currently are. So I went into the props.conf and wrote some regex to correctly split the logs. Now I want to have those logs split retroactively from the first event.

My question.. Would this be possible if I were to delete the forwarder off the server then re-install the forwarder with the changes in my props.conf?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-25-2015 08:20 PM

Yes, the easiest way is to uninstall and then reinstall Splunk on the forwarder and that will do it. You also need to delete the data that is currently in your indexers like this:

index=myIndex | delete

Yes, I know that doesn't really delete it but for his purposes, it is fine.
If you would like something a bit quicker and less radical, you can search the subject "cleaning the fishbucket" and do that on your forwarder to cause it to forget that it has ever forwarded anything.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-25-2015 08:20 PM

Yes, the easiest way is to uninstall and then reinstall Splunk on the forwarder and that will do it. You also need to delete the data that is currently in your indexers like this:

index=myIndex | delete

Yes, I know that doesn't really delete it but for his purposes, it is fine.
If you would like something a bit quicker and less radical, you can search the subject "cleaning the fishbucket" and do that on your forwarder to cause it to forget that it has ever forwarded anything.

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎06-30-2015 08:32 AM

Excellent explanation!

0 Karma
Reply
Solved! Jump to solution

matthieu_araman
Communicator
‎06-25-2015 01:30 PM

hello,

I would use another index for testing (or make a backup)
it's not clear where the data came from
if it's from files on the uf which are still there, then no need to reinstall
you can stop splunk uf, remove the fishbucket directory and restart the uf and splunk will start from scratch
see http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎06-30-2015 08:33 AM

Thanks for the info. That link was very helpful!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...