Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Reset splunkforwarder to re-read file from beginning

moshman
Explorer
‎04-27-2012 10:58 AM

I have a log file that I need to have the splunkforwarder re-start from the very beginning.
my index.conf entry is this:
[monitor:///var/log/app/prod/hostname0050.log]
sourcetype=cmsdk_log
index=app
host=hostname0050
followTail=0

However I keep getting this message in the splunkd.log
04-27-2012 10:15:27.053 -0700 INFO WatchedFile - Will begin reading at offset=1361969172 for file='/var/log/app/prod/hostname0050.log'.

I would like it to re-read the entire file to get the past history.
Any thoughts?

Tags (2)
Reply

glitchcowboy
Path Finder
‎08-27-2012 06:31 AM

In my case, I had access to splunk, but am not able to touch the log files. I'm using the universal forwarder (4.3) and

splunk clean eventdata -index _fishbucket

returns

ERROR: Cleaning eventdata is not supported on this version.

so I took a wild guess and this appears to have done the trick.

rm -rf /opt/splunkforwarder/var/lib/splunk/fishbucket

And yes, I'm just setting this up, so I'm not concerned about losing any splunk data.

Reply

aferone
Builder
‎08-21-2014 07:57 AM

Deleting the directory worked for me. I tried running command to clear the index, but it didn't work.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎04-27-2012 11:14 AM

You have several methods :

  • Recommended : reindex just one file : change the crc of the file.
    edit the file, add a first line, by example a comment." # splunk reindex".
    The tailing processor will compare the CRC of the first 256 chars of the file with the list he maintains, and will detect the file as a new one, and index it.

  • variant : if you are already using the option crcSalt=, then the path+filename is used on the crc calculation. Then you just need to rename the file, or move it.

  • Big guns : reset the forwarder for all logs, blow the fishbucket index that contain the position for each monitored files. Beware all will be reindexed.

    ./splunk stop
    ./splunk clean eventdata -index _fishbucket

Reply

serjandrosov
Path Finder
‎04-27-2018 11:25 PM

variant2: use another crcSalt

crcSalt=reIndexItAll
0 Karma
Reply

rroberts
Splunk Employee
Splunk Employee
‎04-27-2012 11:09 AM

You could clean the fishbucket on the fowarder. That will cause to forwarder to start all over on it's inputs.
Check out : http://wiki.splunk.com/Community:HowSplunkReadsInputFiles and http://blogs.splunk.com/2008/08/14/what-is-this-fishbucket-thing/

0 Karma
Reply

moshman
Explorer
‎04-27-2012 11:09 AM

Yes, the app index has a whole lot of other application data.
This is just a one time re-index of the single file, once it reads it I was going to change it to just tail the file from that point on.

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎04-27-2012 11:07 AM

Is it a one time need to re-index the file or is it going to continually monitor it? I assume your 'app' index has other data and therefore we can't just clean the index and re-index the file?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...