Getting Data In

re-index windows event logs

Contributor

I would like to force the re-indexing of events in a local Windows Event Log channel, let's say "Security". I have tried to use crcSalt (inputs.conf) but it had no effect on the Windows Event Log events. How can I do this?

0 Karma

SplunkTrust
SplunkTrust

Hi bjoernjensen,

there is another option for crcSalt which is very useful - funny this is not in the docs?!?

you can use the crcSalt = REINDEXMEPLEASE option in any inputs.conf stanza to get this input re-indexed.
Add it to the stanz, restart the forwarder and let it do the work. After that, don't forget to remove the entry again ....

Hope this helps ...

cheers, MuS

0 Karma

Contributor

Hi MuS,

I just tested it without success.

Remember that crcSalt is being added to the hash of the first x bytes of a file being monitored to decide . Where x is equal to initCrcLength (inputs.conf default is 256). inputs.conf

I am running Splunk 6.2.0. Furthermore I am indexing on the Splunk machine (local Windows Event Logs).

Any ideas?

0 Karma

SplunkTrust
SplunkTrust

the REINDEXMEPLEASE worked so far for me, never had troubles. Take a look at this post about cleaning the _fishbucket http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html this applies to an indexer and an universal forwarder.

0 Karma

Contributor

This could work once for a file I want to re-index. But I am looking on Windows Event Logs here. AFAIK handeling for this kind of pointer is done differently. From 2011 I found this post: Link

Unfortunately these checkpoint files do not exist on my system / any more.

All the best - Bjoern

0 Karma