Knowledge Management

How to reindex a folder with a FTP log

lakromani
Builder

For some reason I did get a hang or something while I added a folder of FTP log to the Splunk server.

This made the index of older data not work, only new data from a certain date is shown in Splunk.
How does I force Splunk to reindex all data in a folder on a Windows system. Data are stored in C:\log\FTP.

Would it also be possible to say, I just like to get the last 100 days indexed?

Splunk does extract date for the logs and everything else works fine.

Tags (1)
0 Karma

musskopf
Builder

If the data is not too big and you have a index with only this data, why not simply delete the file input monitor, the index and start again?

In your inputs.conf you can use the parameter

ignoreOlderThan = 7d

to prevent splunk reading files too old (that's the file modification date, not the event itself).

FYI, Splunk Universal F. has an internal index where it mark what has been indexed. This information is stored at C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket. If you stop Splunk, delete this folder and start again, it'll re-send EVERYTHING to the Splunk Server, like a brand new Splunk UF installation.

0 Karma

musskopf
Builder

If it's a Splunk Universal Forwarder it'll be normally at:
\etc\apps\search\local

0 Karma

lakromani
Builder

Where do I find the "file input monitor and index"?

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!