there is another option for
crcSalt which is very useful - funny this is not in the docs?!?
you can use the
crcSalt = REINDEXMEPLEASE option in any
inputs.conf stanza to get this input re-indexed.
Add it to the stanz, restart the forwarder and let it do the work. After that, don't forget to remove the entry again ....
Hope this helps ...
I just tested it without success.
Remember that crcSalt is being added to the hash of the first x bytes of a file being monitored to decide . Where x is equal to initCrcLength (inputs.conf default is 256). inputs.conf
I am running Splunk 6.2.0. Furthermore I am indexing on the Splunk machine (local Windows Event Logs).
REINDEXMEPLEASE worked so far for me, never had troubles. Take a look at this post about cleaning the
_fishbucket http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html this applies to an indexer and an universal forwarder.
This could work once for a file I want to re-index. But I am looking on Windows Event Logs here. AFAIK handeling for this kind of pointer is done differently. From 2011 I found this post: Link
Unfortunately these checkpoint files do not exist on my system / any more.
All the best - Bjoern