Getting Data In

Re-send data with universal forwarder?

kevintelford
Path Finder

When using a lightweight-forwarder we were able to clean the fishbucket (eventdata) so that we could re-forward data. Trying this on the new universal forwarder yields the message "ERROR: Cleaning eventdata is not supported on this version." Is there a new way to do this?

Thanks, Kevin

Tags (1)
1 Solution

amrit
Splunk Employee
Splunk Employee

There is currently no command that will clean only the fishbucket (this is a bug, lack of foresight, something). You should file an ER for this, but in the meantime you can just wipe the contents of $SPLUNK_DB/var/lib/splunk/fishbucket/ .

View solution in original post

cervelli
Splunk Employee
Splunk Employee

The clean all command works for removing the fishbucket on a UF. Is there a reason you can't issue that command?

gkanapathy
Splunk Employee
Splunk Employee

cervelli said clean all. not clean eventdata.

0 Karma

ferenc0521
New Member

clean all removed all user data, including admin. I cannot add admin back, because it requires authorization.
catch 22

0 Karma

ferenc0521
New Member

so tried clean all, but didn't see the files/events resent, moreover the admin user is gone, so
can't check with:
https://:8089/services/admin/inputstatus/TailingProcessor:FileStatus
because no auth with admin is possible.

I guess reinstall/config is next step

0 Karma

tonopahtaos
Path Finder

Here is why:

C:\Program Files\SplunkUniversalForwarder\bin>splunk clean eventdata
This action will permanently erase all events from ALL indexes; it cannot be und
one.
Are you sure you want to continue [y/n]? y
ERROR: Cleaning eventdata is not supported on this version.

gkanapathy
Splunk Employee
Splunk Employee

I don't know his problem, but I guess this would wipe/reset the user/password data, wouldn't it?

amrit
Splunk Employee
Splunk Employee

There is currently no command that will clean only the fishbucket (this is a bug, lack of foresight, something). You should file an ER for this, but in the meantime you can just wipe the contents of $SPLUNK_DB/var/lib/splunk/fishbucket/ .

tonopahtaos
Path Finder

This did not work for me. When UF was running, i got a error when I wiped out the content of 'fishbucket'. I have to stop UF first, then remove all under 'fishbucket'. After restarting UF, i did not see any admon or Windows audit event resent.

0 Karma

amrit
Splunk Employee
Splunk Employee

You want a cookie?

kevin_telford
New Member

Four plus years and still no cookie. Hopefully you don't treat all the ladies this way.

0 Karma

kevintelford
Path Finder

Submitted: Case # 57213

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...