Splunk Enterprise
Highlighted

Sample File - Reindex

Communicator

I have a file that I've been playing around with - now I've come to the point where I want to reindex the entire file but can't seem to figure out how to do so - I've used the sourceType... | delete command which deletes some data but doesn't actually let splunk reindex - even if I re-add the file as a monitor it'll only add new events!

Help.

0 Karma
Highlighted

Re: Sample File - Reindex

Champion

Consult this previous answers post for guidance.

0 Karma
Highlighted

Re: Sample File - Reindex

Communicator

Looking at this option,

manually reindex each file with the
oneshot option, you also can edit the
log file and add a comment on the
first line that will force the file to
detected as a new file.

./splunk add oneshot
"/path/to/my/file.log" -sourcetype
mysourcetype

but is that run from the splunk web search box or from the server or?

0 Karma
Highlighted

Re: Sample File - Reindex

Super Champion

it will run on CLI (server)

0 Karma