Getting Data In

not indexing after cleaning eventdata

hiddenkirby
Contributor

So i created an app folder... and indexes.conf .. and an inputs.conf to monitor a directory.

I then restarted splunk via CLI and everything was perfect. Lots of data being indexed immediately.

I realized my sourcetype was wrong, so i...

  1. stopped splunk
  2. made my change to the inputs.conf file for the name of the sourcetype i wanted
  3. did a splunk clean eventdata
  4. started splunk

    [monitor:///data/splunk/mydata/] index = mydata sourcetype = mysourcetype crcSalt = disabled = false

i have 0 events, and can't seem to populated the index again.

does this have to do with the "crcsalt = " line i have in my inputs.conf?

i have even, created a new different index ... still no go.

thoughts?

Tags (1)
1 Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee

Did you clean all indexes or just a single one with splunk clean eventdata? If you cleared all, splunk should have removed the contents of $SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db/ which contains the position in files being read. If you just cleaned a single index, that would not have been cleared and we will continue reading from the end of the files.

This shouldn't have anything to do with the crcSalt.

View solution in original post

Wushu
Explorer

I've had this problem when clearing eventdata - even if i included 'all' - I simply put crcSalt = mysourcetype in the inputs.conf and it fixed the problem.

0 Karma

BunnyHop
Contributor

Maybe try and re-add the monitor? Remove the monitored directory and then re-add it.

0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

Did you clean all indexes or just a single one with splunk clean eventdata? If you cleared all, splunk should have removed the contents of $SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db/ which contains the position in files being read. If you just cleaned a single index, that would not have been cleared and we will continue reading from the end of the files.

This shouldn't have anything to do with the crcSalt.

hiddenkirby
Contributor

ahhah! apologies... and thank you.

0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

Yes, clean eventtdata without an index specified cleans all indexes, including the fishbucket pointers.

As for the "Not a regular file" error, that's unrelated to the gzipped nature, it means that the file doesn't show up to "fstat" as a regular file. Could you run "ls -l" on that file?

0 Karma

hiddenkirby
Contributor

i get "In handler 'oneshotinput': invalid file: path='/data/splunk/mydata/txt123.gz' error='Not a regular file'"

0 Karma

hiddenkirby
Contributor

Also to confirm if i do ~/bin/splunk clean eventdata without naming an index it will clean them all .. including the fishbucket pointers? or do i need to clean "globaldata" or "all" to get that accomplished?

0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

Should work fine with gzips, tars and zips. It doesn't work for directories.

0 Karma

hiddenkirby
Contributor

This command does not work with gzips?

0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

That's trickier and unfortunately we don't have a published tool to modify our database of seek pointers. You can convince Splunk to reindex these files by adding them from the CLI using one-shot input that doesn't check the db. For each file you should run: splunk add oneshot /data/splunk/mydata/ -index mydata -sourcetype mysourcetype.

hiddenkirby
Contributor

well i don't want to clean them all. How does one clean one index and remove those entries from "fishbucket"?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...