Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue with crcsalt not reindexing files

jarlin
New Member
‎09-30-2019 08:40 AM

A newbie splunker here. I got a doubt about crcsalt as for some reason it's not working for me. I got a task to monitor .conf files for some apps and I made the inputs.conf & props.conf in a server after testing there were some issues so I did crcsalt for it to reindex these files and they did. Now I had to do this again in another server and made an app for it and pushed it to the DX & CM and also towards their respective clusters as well but due to certain circumstances I had to reindex these files with crcsalt the second time but for some reason the files aren't getting reindexed. I changed the sourcetype in props.conf it didn't work still. After foraging through answers.splunk the only answers I got was to clear the fishbucket which is a no go for me, use btprobe which is also a no go or to use crcsalt. Is there any possible way to fix this other than indexing it into a new index? Any help would be appreciated.

Edit: I created a new index hoping that the files would be reindexed but it didn't work as well. Now I'm scratching my head for a reason why it ain't working.

0 Karma
Reply

gfreitas
Builder
‎10-02-2019 07:52 AM

Hey man, if you're talking about reindexing only one file in a single server you can use the one shot option. You can find some information here: https://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html

0 Karma
Reply

jarlin
New Member
‎10-02-2019 12:05 PM

No, I'm monitoring multiple paths in the same inputs.conf and I'm facing issues with crcsalt. I also created a new index but its not reindexing again. As for one shot option its seems like a very tedious option.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎10-07-2019 04:59 PM

What version of Splunk are you running?

I actually hit a maddening problem that sounds like this, quite a few versions back and I resorted to weird things like setting crcSalt to random strings like "reindex this 17" when crcSalt=<SOURCE> mysteriously stopped working. At the time I had the option to clean that index and I think I did. And then the problem never returned but I had since upgraded Splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...