Knowledge Management

How do I get an existing index to freshly re-index the same data input directory

scodenton
Engager

Hi,

I accidentally truncated my index by dropping the index limit by 3 orders of magnitude. Instead of years of data, I now have a couple of days, but of course, Splunk won't re-index the existing old files that are still there in the data input directory.

Does anyone know how to simply trip Splunk into freshly re-indexing an index from scratch? Would it be as simple as deleting the data input directory entry and re-adding?

Do I need to delete the whole index and start again?

I don't want to delete the whole fishbucket, as there are many other indexes that are fine and that I would like to keep as-is.

I have 2,800 files to reindex, so not an option to manually add each one in via CLI.

Any thoughts most welcome,

Kind regards,

Scott

0 Karma
1 Solution

woodcock
Esteemed Legend

If these are files, you can write a script to call splunk add oneshot which ignores the fishbucket:

http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/MonitorfilesanddirectoriesusingtheCLI

View solution in original post

woodcock
Esteemed Legend

If these are files, you can write a script to call splunk add oneshot which ignores the fishbucket:

http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/MonitorfilesanddirectoriesusingtheCLI

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...