Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

re-index windows event logs

bjoernjensen
Contributor
‎02-09-2015 06:07 AM

I would like to force the re-indexing of events in a local Windows Event Log channel, let's say "Security". I have tried to use crcSalt (inputs.conf) but it had no effect on the Windows Event Log events. How can I do this?

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎02-09-2015 06:40 AM

Hi bjoernjensen,

there is another option for crcSalt which is very useful - funny this is not in the docs?!?

you can use the crcSalt = REINDEXMEPLEASE option in any inputs.conf stanza to get this input re-indexed.
Add it to the stanz, restart the forwarder and let it do the work. After that, don't forget to remove the entry again ....

Hope this helps ...

cheers, MuS

0 Karma
Reply

bjoernjensen
Contributor
‎02-09-2015 07:24 AM

Hi MuS,

I just tested it without success.

Remember that crcSalt is being added to the hash of the first x bytes of a file being monitored to decide . Where x is equal to initCrcLength (inputs.conf default is 256). inputs.conf

I am running Splunk 6.2.0. Furthermore I am indexing on the Splunk machine (local Windows Event Logs).

Any ideas?

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎02-09-2015 07:34 AM

the REINDEXMEPLEASE worked so far for me, never had troubles. Take a look at this post about cleaning the _fishbucket http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html this applies to an indexer and an universal forwarder.

0 Karma
Reply

bjoernjensen
Contributor
‎02-09-2015 07:45 AM

This could work once for a file I want to re-index. But I am looking on Windows Event Logs here. AFAIK handeling for this kind of pointer is done differently. From 2011 I found this post: Link

Unfortunately these checkpoint files do not exist on my system / any more.

All the best - Bjoern

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

.conf26 Registration is Live: Secure Your Early Bird Pass Now

  Lock in Your Spot: Registration Open for .conf26 in Denver Hello Splunkers, I have exciting news! Your ...

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...