- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I accidentally truncated my index by dropping the index limit by 3 orders of magnitude. Instead of years of data, I now have a couple of days, but of course, Splunk won't re-index the existing old files that are still there in the data input directory.
Does anyone know how to simply trip Splunk into freshly re-indexing an index from scratch? Would it be as simple as deleting the data input directory entry and re-adding?
Do I need to delete the whole index and start again?
I don't want to delete the whole fishbucket, as there are many other indexes that are fine and that I would like to keep as-is.
I have 2,800 files to reindex, so not an option to manually add each one in via CLI.
Any thoughts most welcome,
Kind regards,
Scott
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If these are files, you can write a script to call splunk add oneshot which ignores the fishbucket:
http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/MonitorfilesanddirectoriesusingtheCLI
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If these are files, you can write a script to call splunk add oneshot which ignores the fishbucket:
http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/MonitorfilesanddirectoriesusingtheCLI
