Hi @yyyharmonia,

I am using google translator to translate your question and based on understanding you want to restore test_log1.log in /data/ directory from backup because test_log1.log is corrupted. In that case when you restore test_log1.log, restart splunkforwarder once so it will index test_log1.log file again but there might be chances that you will end-up with duplicate data in splunk if your test_log1.log corrupted in half-way, in that case you can use | delete command to hide those duplicate data from searching before restoring test_log1.log from backup but you need can_delete role to run this command even admin can't run this command.

So for example you have duplicate data from 11 AM to 1 PM by checking restored test_log1.log and data which is available in splunk so for those events run your search like index=<index name> source=/data/test_log1.log | delete and run this query for 11 AM to 1 PM so it will hide those data from searching again.

After restoring file if it will not index again then please follow below steps

1.) Stop Splunk on Universal forwarder
2.) Run command $SPLUNK_HOME/bin/splunk cmd btprobe -d $SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db --file /data/test_log1.log --reset , this command will remove /data/test_log1.log from fishbucket so forwarder will read it again.
3.) Start Splunk on Universal forwarder.

I hope this helps.

Thanks,
Harshil