Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Forcing LWF to resend (and Indexer to re-index) segment of corrupted data

TR_Splunker
Engager
‎01-31-2011 11:41 PM

We recently rebuilt several endpoints and cloned the configs on them. Unfortunately, the input.conf file had the same [default] host= for all 18 servers because all the files were cloned from one server. While the data is present, it is all being lumped under one hostname.

We've fixed the input.conf file and now all the data is being handled correctly, but we want to re-import about 2 weeks worth that was pulled in with the wrong hostname.

Is there a way to delete a range of data that is corrupted on the index servers, and force the forwarder to re-send it?

Tags (1)
Reply

jrodman
Splunk Employee
Splunk Employee
‎01-31-2011 11:51 PM

It's possible to hide some data so that has been already indexed with the delete command, this makes it no longer searchable.

http://www.splunk.com/base/Documentation/4.1.5/SearchReference/Delete http://www.splunk.com/base/Documentation/4.1.5/Admin/RemovedatafromSplunk

It isn't reversible (and off by default), so measure twice, cut once.

You can force reindexing by a couple of different methods. You could reindex everything using a splunk clean eventdata on your forwarders. You could force reindexing of specific files by copying them to $SPLUNK_HOME/var/log/splunk, though the paths will be a bit different. You can tell splunk to index a particular file regardless of the duplication logic with the oneshot input method: splunk help add oneshot

Lastly, a bit dirty, you could get somewhat sneaky and defeat splunk's redundancy checking. If you modify the first 256 bytes of your logfiles, eg by inserting a single character of whitespace at the start of them, it will reindex those files, assuming they are totally new.

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...