Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Re-index data

TheFlash
Path Finder
‎04-06-2021 07:29 AM

How do I get the data re-indexed to same sourcetype which I deleted using the delete command.

for eg.

        lets say I used this query: index=demo sourcetype=db_demo| delete 

now here correct me If i am wrong, my "db_demo" data is marked as deleted that it is unsearchable but it is not deleted from disk space.

now my question is without cleaning my index, how can I re-index or you can say monitor again my " db_demo" without changing the sourcetype. I don't want to change sourcetype "db_demo" to something else.

is there a way ?

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-06-2021 07:52 AM

Hi @TheFlash,

yes the data you deleted are phisically still in your index but are unsearcable.

To reindex them I need to know which kind of logs are they:

  • from db-connect,
  • from files,
  • from syslogs?

If they arrive from syslog, it's not possible to reindex them.

if they arrive from dbconnect, it's a little difficoult but possible because you have to manually modify (the From DB Connect 3 and later) the rising column checkpoints of the input that are stored  in $SPLUNK_HOME/var/lib/splunk/modinputs/server/splunk_app_db_connect.

If they are from files, you have to identify the sources to reindex and, if they are few, manually load  them by guided procedure, if they are many you have to modify your inputs.conf adding to the related stanza the option 

crcSalt = <SOURCE>

Ciao.

Giuseppe 

View solution in original post

Reply
Solved! Jump to solution

hnorvik
Explorer
‎10-25-2021 02:16 PM

If you want to have the deleted data reappear for searching without actually re-indexing the data, you can do the following:

  • Stop Splunk
  • In the folder for the index, find the buckets by UTC timestamp where you want to recover the deleted data.
  • Within the bucket's rawdata folder you will find a folder called deletes containing one or more csv.gz files. Remove the deletes folder. 
  • Start Splunk

A side effect of this is that ALL deleted data will then reappear - not just your sourcetype=db_demo.

Since you now have access to all the data that was present in the index, you can use any other export / re-index methods on the data. By exporting _raw records to a CSV file you can also use monitor / file upload again if you need to test your indexing process. 

I recommend making a copy of your original index demo to work on rather than working on the original. If something during this process fails you can always return to start.  Also - do this in a lab before working on the real dataset. I am not sure if this causes any issues around the tsidx files or the .bucketmanifest, but this worked for me when I needed to restore some "lost" data.

Regards, H.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-06-2021 08:05 AM

The process that got the db_demo data into the demo index in the first place must be repeated.

If the data came from a file, then Splunk will not re-process it because remembers reading it before.  You'll have to tell Splunk to "forget" that file by deleting the fishbucket.  To do that, run this CLI command 

splunk cmd btprobe -d /opt/splunkforwarder/var/lib/splunk/fishbucket/splunk_private_db --file <foo> --reset

replace "<foo>" with the name of the file you wish to re-index.

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-06-2021 07:52 AM

Hi @TheFlash,

yes the data you deleted are phisically still in your index but are unsearcable.

To reindex them I need to know which kind of logs are they:

  • from db-connect,
  • from files,
  • from syslogs?

If they arrive from syslog, it's not possible to reindex them.

if they arrive from dbconnect, it's a little difficoult but possible because you have to manually modify (the From DB Connect 3 and later) the rising column checkpoints of the input that are stored  in $SPLUNK_HOME/var/lib/splunk/modinputs/server/splunk_app_db_connect.

If they are from files, you have to identify the sources to reindex and, if they are few, manually load  them by guided procedure, if they are many you have to modify your inputs.conf adding to the related stanza the option 

crcSalt = <SOURCE>

Ciao.

Giuseppe 

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-04-2021 09:13 AM

Hi @TheFlash,

good for you, see nect time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...