Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

replacing inputs.conf

heterodyned
Path Finder
‎07-23-2010 04:57 AM

This would be a very trivial question, but what are the circumstances when splunk re-indexes new data? Replacing an existing inputs.conf with another inputs.conf shouldnt actually re-index data, but incase I need to perform a re-indexing, then would it be by clearing the data and then restarting splunk services?

Thanks,

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎07-23-2010 05:05 AM

im assuming that you do not just want to re-index the data and have duplicates in.
If what you would like to do is clean all of your existing data, and then re-indexing it all up again then you can do the following:

./splunk stop
./splunk clean eventdata index_name
./splunk start

For more info on this go here
Cheers,
.gz

View solution in original post

Reply
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎07-23-2010 05:05 AM

im assuming that you do not just want to re-index the data and have duplicates in.
If what you would like to do is clean all of your existing data, and then re-indexing it all up again then you can do the following:

./splunk stop
./splunk clean eventdata index_name
./splunk start

For more info on this go here
Cheers,
.gz

Reply
Solved! Jump to solution

Genti
Splunk Employee
Splunk Employee
‎07-29-2010 05:40 AM

replacing inputs.conf (and restarting the server) will only make the new data that comes in obey the rules in the new inputs.conf. The data that is originally there will not be reindexed and it will not change to obey the new rules. For reindexing you will need to use the clean command, or perhaps use crcSalt

0 Karma
Reply
Solved! Jump to solution

heterodyned
Path Finder
‎07-29-2010 03:10 AM

Alright, I was wondering to replace our existing inputs.conf with the same copy of inputs.conf but with some modifications/flags like sourcetype/hostname etc...

0 Karma
Reply
Solved! Jump to solution

Genti
Splunk Employee
Splunk Employee
‎07-23-2010 04:27 PM

If it is the same exact inputs.conf then no, you should see no other data. If you add some other monitor stanza or any other flags in the inputs.conf (such as crcSalt) the you might see more data/duplicates

0 Karma
Reply
Solved! Jump to solution

heterodyned
Path Finder
‎07-23-2010 06:19 AM

So replacing inputs.conf from existing locations shouldnt cause duplicate data right?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...