Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can we delete the fishbucket for a specific index ?

vrmandadi
Builder
‎12-08-2022 08:07 AM

Hello Experts ,

I am trying to delete the fishbucket but I want to delete only one index=syslog..Is there a command I can run that only delete for a  particular index

 

Thanks in Advance 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-08-2022 08:28 AM

The fishbucket is used for Splunk to keep track of its place in each input file.  This is before data is indexed so fishbuckets have no knowledge of indexes.  Deleting a fishbucket causes an input file to re-indexed from the beginning.

If you want to delete data from an index then give up now.  Indexed data cannot be deleted, removed, purged, edited, redacted, modified, or otherwise changed.  The best you can do is hide events from search results using the delete command.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vrmandadi
Builder
‎12-08-2022 10:41 AM

@richgalloway  Thank you for your response .. The reason I asked was I am having issue with data -re indexing .For that I have done the following steps
Created a new index(previously it was syslog ..changed to syslog1)
Created new data input ([monitor:///admin/logs/abc/syslog/syslog.log*]
Reset the fishbucket entry for all those files
After I enabled the input I see data coming in from syslog.log, syslog.log.25.gz, syslog.log.26.gz etc but few are missing

I checked splunkd.log and saw these messages

12-08-2022 01:50:55.675 +0000 INFO  ArchiveProcessor [180967 archivereader] - Handling file=/admin/logs/abc/syslog/syslog.log.2.gz

12-08-2022 01:50:55.676 +0000 INFO  ArchiveProcessor [180967 archivereader] - record time older than bucket, reindexing path=/admin/logs/abc/syslog/syslog.log.2.gz

12-08-2022 01:50:55.676 +0000 INFO  ArchiveProcessor [180967 archivereader] - reading path=/admin/logs/abc/syslog/syslog.log.2.gz (seek=0 len=579119)

12-08-2022 01:50:55.788 +0000 INFO  ArchiveProcessor [180967 archivereader] - Archive with path="/admin/logs/abc/syslog/syslog.log.2.gz" was already indexed as a non-archive, skipping.

12-08-2022 01:50:55.790 +0000 INFO  ArchiveProcessor [180967 archivereader] - Finished processing file '/admin/logs/abc/syslog/syslog.log.2.gz', removing from stats

 

How to re-ingest 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-08-2022 11:34 AM

I think what is happening is Splunk is refusing to ingest the gzip file because it thinks it's already read the uncompressed version of the file.  If the .gz file is just a compressed version of a file already read then you're done (compressed files tend to be deny-listed to avoid this).

If you need the gzip files indexed then try this.  Denylist the .gz files and allow the rest to be indexed.  Clear the fishbucket again then denylist the uncompressed files.  This should allow the compressed files to be indexed.  After that, restore your normal input settings.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vrmandadi
Builder
‎12-08-2022 12:27 PM

@richgalloway  Thank you for your input . So are you suggesting to blacklist gzip files first so that it indexes unzipped files and then blacklist unzipped files so that zip files will be indexed?.

monitor:///admin/logs/bac/syslog/syslog.log*]

blacklist = .*/syslog\.log\.1\.gz$

disabled = 0

host = metrics-preos02

host_segment = 3

index = syslog-test1

sourcetype = syslog

whitelist = .*/syslog\.log(|\.[0-9]+\.gz)$

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-08-2022 01:28 PM

Yes, that is what I am suggesting - with a delete of the fishbucket in between.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...