Getting Data In

deleted data input file directory. Then, renamed and created a new data input directory. Ran Search but no results found

qtorque95
Explorer

in Splunk Enterprise version 7.2.1, Step 1. created a data input from "Files & Folders" | "New Local File & Directory" button. For example: D:\a4. Then, ran a search query from the D:\a4 contents and return results ok.
Then, realized I mis-spelled "a4" so, deleted the data input "a4" from http://localhost:8000/en-US/manager/search/data/inputs/monitor". Next, in Windows Explorer, renamed folder form "a4" to "b4" .
And repeated Step1 and pointed to D:\b4
However, after running search on the new data input directory, get no results. Checked C:\Program Files\Splunk\etc\apps\search\local\inputs.conf . And "D:\a4" is not listed. Please help me. Thanks.

0 Karma
1 Solution

whrg
Motivator

Hello @qtorque95,

Check out How Splunk Enterprise handles log file rotation.

When you or a log rotation program moves a file then Splunk recognizes that it is the same file and does not index it again.

If you really want to index that file again, then I see two options:

Option 1: Add the following line to your inputs.conf:

crcSalt = <SOURCE>

Doing so ensures that each file has a unique CRC.

(You need to restart Splunk after making changes to configuration files.)

Option 2: You remove the indexed data. Do the following on the command line:

splunk clean eventdata -index <index_name>

This will delete the indexed data and reindex any inputs. You need to stop Splunk first before issuing this command.

View solution in original post

0 Karma

qtorque95
Explorer

Thank you @whrg, @prakash007 for your answers. What i did to solve it:
1. in Windows server, went to Control Panel --> Services.
2. Stop and start "Splunkd Service".

0 Karma

whrg
Motivator

Hello @qtorque95,

Check out How Splunk Enterprise handles log file rotation.

When you or a log rotation program moves a file then Splunk recognizes that it is the same file and does not index it again.

If you really want to index that file again, then I see two options:

Option 1: Add the following line to your inputs.conf:

crcSalt = <SOURCE>

Doing so ensures that each file has a unique CRC.

(You need to restart Splunk after making changes to configuration files.)

Option 2: You remove the indexed data. Do the following on the command line:

splunk clean eventdata -index <index_name>

This will delete the indexed data and reindex any inputs. You need to stop Splunk first before issuing this command.

0 Karma

prakash007
Builder

@qtorque95 : looks like you have Splunk-enterprise installed on your local...
1.try running this command to check the inputs status of the monitor path
$SPLUNK_HOME/bin/splunk list input status
2. if you see your monitor path from the list above, you can reset the file checkpoints(splunk might be thinking the above file as a duplicate)
https://docs.splunk.com/Documentation/Splunk/7.2.1/Troubleshooting/CommandlinetoolsforusewithSupport...
read this splunk doc on How Splunk calculates CRC..
https://docs.splunk.com/Documentation/Splunk/7.2.1/Data/Howlogfilerotationishandled
3. Stop Splunk, delete fishbucket($SPLUNK_HOME/var/lib/splunk/fishbucket), and start splunk(this will reindex all files, NOT a best solution on prod boxes)

0 Karma

qtorque95
Explorer

thank you @prakash007 . 1. Using windows command prompt, typed, " cd C:\Program files\splunk\bin\ splunk.exe list input status ". Another dos screen opens for 2 or 3 seconds, but not able to see the contents. Even tried to send results as follows: at C:\Program Files\Splunk\bin typed (shown in quotes),
"splunk.exe list input status > inputstatus.txt " to see printed results. But got " Access Denied". I don't understand as I am logged in as Administrator.
3. Using Windows Control panel | Services, I stopped "Splunkd Service". But not sure the syntax to run the "delete" fishbucket using windows command or Windows PowerShell. ( I searched for this, but success). Thank you.

0 Karma

ssadanala1
Contributor

Execute command below to reset fishbucket

.\splunk.exe cmd btprobe -d "C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db" --file

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...