Solved: Will deleting the fish bucket file cause forwarder...

spl_unker · ‎02-24-2022

Hi ,

In one of the OLD UF, fish bucket has occupied the complete disk space and service has been stopped. will deleting the fish bucket file cause forwarder to send all the old data that is already indexed ?

gcusello · ‎02-24-2022

Hi @spl_unker,

yes, all the log files still present in the system and reachable by the inputs.conf stanzas will be indexed again.

Probably the only way is to give more space to the Splunk partition.

Ciao.

Giuseppe

View solution in original post

spl_unker · ‎02-24-2022

Thanks for the confirmation @gcusello

gcusello · ‎02-24-2022

Hi @spl_unker,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello · ‎02-24-2022

Hi @spl_unker,

yes, all the log files still present in the system and reachable by the inputs.conf stanzas will be indexed again.

Probably the only way is to give more space to the Splunk partition.

Ciao.

Giuseppe

impurush · ‎05-02-2022

Hi @gcusello,

Is there any mechanism to clear the entries from the fish bucket after some time or let's say if I set the limit in the fish bucket, which part of the fish bucket gets reduced to like 1 GB fish bucket, and if I set 500 MB and what would be deleted?

Increasing the space for the fish bucket is not the solution I am looking for because it may not have the entries from the old as the retention period in the server is less but the number of rotated files is more.

gcusello · ‎05-02-2022

Hi @impurush,

you can find how to clean the fishbucket in this answer https://community.splunk.com/t5/Getting-Data-In/How-to-reindex-data-from-a-forwarder/m-p/93310

Ciao.

Giuseppe

Will deleting the fish bucket file cause forwarder to send all the old data that is already indexed?

universal forwarder

.conf23 Registration is Now Open!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control