Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Rebuilding index level .data files

vbumgarner
Contributor
‎05-11-2011 09:43 AM

On a healthy index, these two queries return the same value, or at least very similar, since the value is changing as data is indexed:

 |metadata type=sourcetypes | stats sum(totalCount)
 |dbinspect | stats sum(eventCount)

metadata seems to use the files at

*/db/*.data

dbinspect seems to use the files one level down at

*/db/*/*.data

I believe the rebuild command can be used to rebuild the .data on a bucket by bucket basis. Is there a similar command for rebuilding the .data files at the index level, the .data files just inside db?

Tags (3)
0 Karma
Reply

Simeon
Splunk Employee
Splunk Employee
‎05-12-2011 04:37 PM

This is NOT supported, but should work...

  1. Create a "meta.dirty" file in the root directory of the index you want to rebuild.
  2. Restart splunk.
0 Karma
Reply

vbumgarner
Contributor
‎05-18-2011 07:26 AM

An answer I was given off-board was to move the *.data files at the index level aside and restart. This seems to rebuild those files from the *.data files in the buckets themselves.

It would be nice to have a simple way to rebuild all counts, in all buckets and at the index level.

0 Karma
Reply

DUThibault
Contributor
‎11-07-2017 07:43 AM

The "root directory of the index" is e.g. $SPLUNK_DB/defaultdb/db/ ($SPLUNK_DB/defaultdb/ will NOT work). With Splunk 7, meta.dirty is deleted from db/ upon restart but the index is not rebuilt.

I found the following method on https://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html (dating back to 2013):
1) # splunk stop
2) # splunk clean eventdata -index main
This sort of worked, except older data did not get re-indexed. My horizon shrunk from several days to about 5 hours. It ended up easier to remove the data sources (which were directories under surveillance anyway) and add them back in.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...