Sample File - Reindex

tb5821 · ‎02-10-2018

I have a file that I've been playing around with - now I've come to the point where I want to reindex the entire file but can't seem to figure out how to do so - I've used the sourceType... | delete command which deletes some data but doesn't actually let splunk reindex - even if I re-add the file as a monitor it'll only add new events!

Help.

micahkemp · ‎02-10-2018

Consult this previous answers post for guidance.

tb5821 · ‎02-10-2018

Looking at this option,

manually reindex each file with the
oneshot option, you also can edit the
log file and add a comment on the
first line that will force the file to
detected as a new file.

./splunk add oneshot
"/path/to/my/file.log" -sourcetype
mysourcetype

but is that run from the splunk web search box or from the server or?

493669 · ‎02-10-2018

it will run on CLI (server)

Sample File - Reindex

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20. Learn More or Register Now >

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.

Learn More or Register Now >