Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

re-index windows event logs

bjoernjensen
Contributor
‎02-09-2015 06:07 AM

I would like to force the re-indexing of events in a local Windows Event Log channel, let's say "Security". I have tried to use crcSalt (inputs.conf) but it had no effect on the Windows Event Log events. How can I do this?

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎02-09-2015 06:40 AM

Hi bjoernjensen,

there is another option for crcSalt which is very useful - funny this is not in the docs?!?

you can use the crcSalt = REINDEXMEPLEASE option in any inputs.conf stanza to get this input re-indexed.
Add it to the stanz, restart the forwarder and let it do the work. After that, don't forget to remove the entry again ....

Hope this helps ...

cheers, MuS

0 Karma
Reply

bjoernjensen
Contributor
‎02-09-2015 07:24 AM

Hi MuS,

I just tested it without success.

Remember that crcSalt is being added to the hash of the first x bytes of a file being monitored to decide . Where x is equal to initCrcLength (inputs.conf default is 256). inputs.conf

I am running Splunk 6.2.0. Furthermore I am indexing on the Splunk machine (local Windows Event Logs).

Any ideas?

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎02-09-2015 07:34 AM

the REINDEXMEPLEASE worked so far for me, never had troubles. Take a look at this post about cleaning the _fishbucket http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html this applies to an indexer and an universal forwarder.

0 Karma
Reply

bjoernjensen
Contributor
‎02-09-2015 07:45 AM

This could work once for a file I want to re-index. But I am looking on Windows Event Logs here. AFAIK handeling for this kind of pointer is done differently. From 2011 I found this post: Link

Unfortunately these checkpoint files do not exist on my system / any more.

All the best - Bjoern

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...