Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Re-index a file and prevent duplicates

JeremyHagan
Communicator
‎11-12-2013 05:09 PM

Hi,

I have some CSV files which were indexed, but a proportion of the events were corrupted in the index. Each file has up to 1 million records. Is there a way to ask Splunk to re-index this file and to only index events that it doesn't current have? Each event has a unique record ID field.

Tags (3)
Reply

ShaneNewman
Motivator
‎11-12-2013 05:53 PM

An easier way might be to delete the events you have in your index now, clean the fishbucket, and just let Splunk reindex them.

0 Karma
Reply

ShaneNewman
Motivator
‎11-12-2013 06:14 PM

Yes. This is what I do.

Run the search that has the events you need to delete, I assume you don't want to delete the entire index. If you do, run the below command with the index name that you wish to wipe out, then clean _thefishbucket. Otherwise, run your search to find your events, then pipe that "| delete".

cd out to the Splunk\bin directory. Type splunk stop. Then type splunk clean eventdata -index _thefishbucket

Then type splunk start. The rest is automatic, assuming you have fixed the files.

0 Karma
Reply

JeremyHagan
Communicator
‎11-12-2013 05:59 PM

Clean the fishbucket?

0 Karma
Reply

jtrucks
Splunk Employee
Splunk Employee
‎11-12-2013 05:31 PM

You might want to make a report of the record IDs you have in Splunk, then cull those from your input file. Then use splunk add oneshot to import the file (or some other method).

--
Jesse Trucks
Minister of Magic
Reply

JeremyHagan
Communicator
‎11-12-2013 05:36 PM

I was kind of hoping for something a little less manual....

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...