Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

If a file is ignored due to IgnoreOlderThan, is there any way to configure Splunk to read it if I need it later?

Flynt
Splunk Employee
Splunk Employee
‎05-30-2013 04:00 PM

If I specify a value for ignoreOlderThan for an input in my inputs.conf and tailingprocessor thinks the file is older than the ignoreOlderThan value and therefore ignores the file,
is there any way for the file to be read again by Splunk?

Reply
1 Solution
Solved! Jump to solution
Solution

bmacias84
Champion
‎05-31-2013 08:28 AM

The answer is yes, but of course this depends on your requirements. The simiplist answer is to use oneshot using the CLI. You can issue one shot remotly on any splunk instance so long as you have enable remote access or have change the default password for the admin account.

I have on occasion scripted a remote oneshot to index files for one off cases.

If your looking to reset your fishbucket btprob is the real answer.

To reset one file in your fishbucket from your UF:

./btprobe -d SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db --file /var/log/access.log --reset

Note: Your splunk daemon or service must be stopped and if you try to use the base directory you will recieve "could not open '/var/log/' (Access is denied.)". If you doing this on a UF the btprobe will need to be copied to your UF.

You should recieve the following message: key=0x7b100f52c71e67f1 scrc=0x6e16f6c553b73581 sptr=8070178 fcrc=0xcdcd2890474a56fb flen=0 mdtm=1347001048 wrtm=1352329761**95Record (key 0x7b100f52c71e67f1) reset.

If in my case I have hundreds of test file sitting on a UF in mulitple directories, so I wrote a perl script to feed each file in each directory to the btprobe utility.

Hope this helps you or gets you started. Dont forget to accept or thumbs up answers.

Additional Reading:

Hope this help or gets you started.

View solution in original post

Reply
Solved! Jump to solution
Solution

bmacias84
Champion
‎05-31-2013 08:28 AM

The answer is yes, but of course this depends on your requirements. The simiplist answer is to use oneshot using the CLI. You can issue one shot remotly on any splunk instance so long as you have enable remote access or have change the default password for the admin account.

I have on occasion scripted a remote oneshot to index files for one off cases.

If your looking to reset your fishbucket btprob is the real answer.

To reset one file in your fishbucket from your UF:

./btprobe -d SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db --file /var/log/access.log --reset

Note: Your splunk daemon or service must be stopped and if you try to use the base directory you will recieve "could not open '/var/log/' (Access is denied.)". If you doing this on a UF the btprobe will need to be copied to your UF.

You should recieve the following message: key=0x7b100f52c71e67f1 scrc=0x6e16f6c553b73581 sptr=8070178 fcrc=0xcdcd2890474a56fb flen=0 mdtm=1347001048 wrtm=1352329761**95Record (key 0x7b100f52c71e67f1) reset.

If in my case I have hundreds of test file sitting on a UF in mulitple directories, so I wrote a perl script to feed each file in each directory to the btprobe utility.

Hope this helps you or gets you started. Dont forget to accept or thumbs up answers.

Additional Reading:

Hope this help or gets you started.

Reply
Solved! Jump to solution

DerekB
Splunk Employee
Splunk Employee
‎05-30-2013 04:05 PM

Tailing processor looks at the modtime of the file, so if you update the modtime, the file should be looked at again by Splunk. One easy way to do this is to simply restart the machine. The modtime gets updated during that process and tailing processor will then re-read the file and index any new information.

0 Karma
Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...