Getting Data In

Issue with crcsalt not reindexing files

jarlin
New Member

A newbie splunker here. I got a doubt about crcsalt as for some reason it's not working for me. I got a task to monitor .conf files for some apps and I made the inputs.conf & props.conf in a server after testing there were some issues so I did crcsalt for it to reindex these files and they did. Now I had to do this again in another server and made an app for it and pushed it to the DX & CM and also towards their respective clusters as well but due to certain circumstances I had to reindex these files with crcsalt the second time but for some reason the files aren't getting reindexed. I changed the sourcetype in props.conf it didn't work still. After foraging through answers.splunk the only answers I got was to clear the fishbucket which is a no go for me, use btprobe which is also a no go or to use crcsalt. Is there any possible way to fix this other than indexing it into a new index? Any help would be appreciated.

Edit: I created a new index hoping that the files would be reindexed but it didn't work as well. Now I'm scratching my head for a reason why it ain't working.

0 Karma

gfreitas
Builder

Hey man, if you're talking about reindexing only one file in a single server you can use the one shot option. You can find some information here: https://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html

0 Karma

jarlin
New Member

No, I'm monitoring multiple paths in the same inputs.conf and I'm facing issues with crcsalt. I also created a new index but its not reindexing again. As for one shot option its seems like a very tedious option.

0 Karma

sideview
SplunkTrust
SplunkTrust

What version of Splunk are you running?

I actually hit a maddening problem that sounds like this, quite a few versions back and I resorted to weird things like setting crcSalt to random strings like "reindex this 17" when crcSalt=<SOURCE> mysteriously stopped working. At the time I had the option to clean that index and I think I did. And then the problem never returned but I had since upgraded Splunk.

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...