So i created an app folder... and indexes.conf .. and an inputs.conf to monitor a directory.
I then restarted splunk via CLI and everything was perfect. Lots of data being indexed immediately.
I realized my sourcetype was wrong, so i...
started splunk
[monitor:///data/splunk/mydata/] index = mydata sourcetype = mysourcetype crcSalt = disabled = false
i have 0 events, and can't seem to populated the index again.
does this have to do with the "crcsalt = " line i have in my inputs.conf?
i have even, created a new different index ... still no go.
thoughts?
Did you clean all indexes or just a single one with splunk clean eventdata
? If you cleared all, splunk should have removed the contents of $SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db/
which contains the position in files being read. If you just cleaned a single index, that would not have been cleared and we will continue reading from the end of the files.
This shouldn't have anything to do with the crcSalt.
I've had this problem when clearing eventdata - even if i included 'all' - I simply put crcSalt = mysourcetype in the inputs.conf and it fixed the problem.
Maybe try and re-add the monitor? Remove the monitored directory and then re-add it.
Did you clean all indexes or just a single one with splunk clean eventdata
? If you cleared all, splunk should have removed the contents of $SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db/
which contains the position in files being read. If you just cleaned a single index, that would not have been cleared and we will continue reading from the end of the files.
This shouldn't have anything to do with the crcSalt.
ahhah! apologies... and thank you.
Yes, clean eventtdata without an index specified cleans all indexes, including the fishbucket pointers.
As for the "Not a regular file" error, that's unrelated to the gzipped nature, it means that the file doesn't show up to "fstat" as a regular file. Could you run "ls -l" on that file?
i get "In handler 'oneshotinput': invalid file: path='/data/splunk/mydata/txt123.gz' error='Not a regular file'"
Also to confirm if i do ~/bin/splunk clean eventdata without naming an index it will clean them all .. including the fishbucket pointers? or do i need to clean "globaldata" or "all" to get that accomplished?
Should work fine with gzips, tars and zips. It doesn't work for directories.
This command does not work with gzips?
That's trickier and unfortunately we don't have a published tool to modify our database of seek pointers. You can convince Splunk to reindex these files by adding them from the CLI using one-shot input that doesn't check the db. For each file you should run: splunk add oneshot /data/splunk/mydata/
well i don't want to clean them all. How does one clean one index and remove those entries from "fishbucket"?