How to reindex a folder with a FTP log

lakromani · ‎07-04-2014

For some reason I did get a hang or something while I added a folder of FTP log to the Splunk server.

This made the index of older data not work, only new data from a certain date is shown in Splunk.
How does I force Splunk to reindex all data in a folder on a Windows system. Data are stored in C:\log\FTP.

Would it also be possible to say, I just like to get the last 100 days indexed?

Splunk does extract date for the logs and everything else works fine.

musskopf · ‎07-06-2014

If the data is not too big and you have a index with only this data, why not simply delete the file input monitor, the index and start again?

In your inputs.conf you can use the parameter

ignoreOlderThan = 7d

to prevent splunk reading files too old (that's the file modification date, not the event itself).

FYI, Splunk Universal F. has an internal index where it mark what has been indexed. This information is stored at C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket. If you stop Splunk, delete this folder and start again, it'll re-send EVERYTHING to the Splunk Server, like a brand new Splunk UF installation.

musskopf · ‎07-07-2014

If it's a Splunk Universal Forwarder it'll be normally at:
\etc\apps\search\local

lakromani · ‎07-06-2014

Where do I find the "file input monitor and index"?

How to reindex a folder with a FTP log

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability