Getting Data In

re-index windows event logs

bjoernjensen
Contributor

I would like to force the re-indexing of events in a local Windows Event Log channel, let's say "Security". I have tried to use crcSalt (inputs.conf) but it had no effect on the Windows Event Log events. How can I do this?

0 Karma

MuS
Legend

Hi bjoernjensen,

there is another option for crcSalt which is very useful - funny this is not in the docs?!?

you can use the crcSalt = REINDEXMEPLEASE option in any inputs.conf stanza to get this input re-indexed.
Add it to the stanz, restart the forwarder and let it do the work. After that, don't forget to remove the entry again ....

Hope this helps ...

cheers, MuS

0 Karma

bjoernjensen
Contributor

Hi MuS,

I just tested it without success.

Remember that crcSalt is being added to the hash of the first x bytes of a file being monitored to decide . Where x is equal to initCrcLength (inputs.conf default is 256). inputs.conf

I am running Splunk 6.2.0. Furthermore I am indexing on the Splunk machine (local Windows Event Logs).

Any ideas?

0 Karma

MuS
Legend

the REINDEXMEPLEASE worked so far for me, never had troubles. Take a look at this post about cleaning the _fishbucket http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html this applies to an indexer and an universal forwarder.

0 Karma

bjoernjensen
Contributor

This could work once for a file I want to re-index. But I am looking on Windows Event Logs here. AFAIK handeling for this kind of pointer is done differently. From 2011 I found this post: Link

Unfortunately these checkpoint files do not exist on my system / any more.

All the best - Bjoern

0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...