How do I get the data re-indexed to same sourcetype which I deleted using the delete command.
lets say I used this query: index=demo sourcetype=db_demo| delete
now here correct me If i am wrong, my "db_demo" data is marked as deleted that it is unsearchable but it is not deleted from disk space.
now my question is without cleaning my index, how can I re-index or you can say monitor again my " db_demo" without changing the sourcetype. I don't want to change sourcetype "db_demo" to something else.
The process that got the db_demo data into the demo index in the first place must be repeated.
If the data came from a file, then Splunk will not re-process it because remembers reading it before. You'll have to tell Splunk to "forget" that file by deleting the fishbucket. To do that, run this CLI command
yes the data you deleted are phisically still in your index but are unsearcable.
To reindex them I need to know which kind of logs are they:
If they arrive from syslog, it's not possible to reindex them.
if they arrive from dbconnect, it's a little difficoult but possible because you have to manually modify (the From DB Connect 3 and later) the rising column checkpoints of the input that are stored in $SPLUNK_HOME/var/lib/splunk/modinputs/server/splunk_app_db_connect.
If they are from files, you have to identify the sources to reindex and, if they are few, manually load them by guided procedure, if they are many you have to modify your inputs.conf adding to the related stanza the option