I've created a watched folder loaded to successfully from it and then made some changes and deleted the data in the index (splunk clean eventdata -index yourindex -f) and removed the watched folder assuming I was effectively starting over.
I'm now trying to recreate the watched folder with the same data file(s) but splunk won't read them, it seems to identify the files as the "number of files" count is increasing on the data inputs/file directory's page but it's not indexing them.
I think somehow splunk has identified the files so as not to reindex them however now that I've cleared the index I actually want it to reindex the files.. I hope this is making sense.
Anyone know what I'm doing wrong and how to rectify?
Thanks,
@Adam_Marx you can clean the fishbucket to re-read the entire file , or you could also create a new file with same data but different filename and use crcSalt for that monitor input
inputs.conf
[monitor:///opt/splunkforwarder/var/logs]
index=main
crcSalt =
https://answers.splunk.com/answers/46780/reset-splunkforwarder-to-re-read-file-from-beginning.html
Seems to be a problem with cleaning the fishbucket
C:\Program Files\Splunk\bin>splunk clean eventdata -index _fishbucket
This action will permanently erase all events from the index '_fishbucket'; it cannot be undone.
Are you sure you want to continue [y/n]? y
ERROR: Index '_fishbucket' does not exist.
@adam_marx - I've moved your comments into the thread under the answer, to reduce confusion. If your problem has been solved, please accept the answer. Also, in general you can always feel free to upvote any answers you found particularly helpful or useful, whether or not you were the one who asked the question.
splunk clean eventdata cleaned the fishbucket and others...
Thanks,