The forwarding from this directory was working previous to the clean. My understanding was this was supposed to clean out all indexes including the fishbucket, causing splunk to forget was had already been indexed and reindex it all. There have even been new events generated since clean, which I would certainly expect to be forwarded and indexed, but I am not seeing anything.
Other stanzas, from the same inputs.conf, are working, like performance data.
What am I doing wrong here?
For completeness sake, this is the stanza I am expecting to see data from.
[monitor://C:\Websites\logs\...\*]
disabled = false
sourcetype = app_logs
index = app_logs
Turns out, this was a role permissions issue.
The user account that was performing the searches did not have "All internal indexes" selected under "Indexes searched by default" I was trying to validate the search by searching by host, not by index. If I search for this index specifically the data comes up.
After adding "All internal indexes" the data comes up in a by host search.
Turns out, this was a role permissions issue.
The user account that was performing the searches did not have "All internal indexes" selected under "Indexes searched by default" I was trying to validate the search by searching by host, not by index. If I search for this index specifically the data comes up.
After adding "All internal indexes" the data comes up in a by host search.
I don't know whether "splunk clean all"command delete fishbuckets or not.
But if you delete fishbucket manually and start UF instance, it will retransfer that monitoring data to Indexer.
cd $SPLUNK_HOME/var/lib/splunk/fishbucket
rm -fR *
Unfortunately I am on windows... but I did another clean all and it did empty out the fishbucket dir.
Hi neiljpeterson,
On a forwarder you should remove the folder $SPLUNK_HOME/var/lib/splunk/fishbucket
.
On an indexer splunk clean eventdata -index _fishbucket
will do the magic.
cheers, MuS
This is what I found
04-01-2014 09:18:42.197 -0500 INFO TailingProcessor - Parsing configuration stanza: monitor://C:\Websites\logs\...\*.
check your forwarders splunkd.log for anything related to tailingprocess regarding this input
splunk clean all does this. I just did it again as a test.
On a forwarder you should remove the folder $SPLUNK_HOME/var/lib/splunk/fishbucket
.
one or the other or both?