Need to reset heavy forwarder _fishbucket

dgililo · ‎09-27-2013

We run SPLUNK in test and dev environment to test parsing logic before moved to production monitoring. so need to reset Heavy Forwarder to index from scratch once parsing logic has been updated.

On the heavy forwarder i am trying to use

$ ./splunk clean eventdata -index fishbucket This action will permanently erase all events from the index 'fishbucket'; it cannot be undone. Are you sure you want to continue [y/n]? y ERROR: Index 'fishbucket' does not exist. [ebstsf-17] /app/splunk/bin $ ./splunk clean eventdata _fishbucket This action will permanently erase all events from the index 'fishbucket'; it cannot be undone. Are you sure you want to continue [y/n]? y ERROR: Index '_fishbucket' does not exist. [ebstsf-17] /app/splunk/bin $ cd ../var/lib/

Both commands throw ERROR: Index '_fishbucket' does not exist.

please help

Drainy · ‎09-29-2013

Just to throw another angle in here, are you doing index and forward? I've discovered (at least on v5.0.2) that if I clear an index, e.g. main, Splunk appears to either clear the fishbucket or the index has its own one associated with it...
Might be me getting confused over the years but I didn't need to clear any fishbucket to restart indexing, as I'm certain I have in the past.

yannK · ‎09-27-2013

try the hard method :

stop splunk
delete $SPLUNK_HOME/var/lib/splunk/fishbucket
restart, and all will be re-detected as new.

Need to reset heavy forwarder _fishbucket

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!