Splunk Search

no longer seeing all logs after clearing index

jonathanfalconi
Explorer

I am no longer seeing all my logs on the indexer after clearing the index of all data. Is there something that needs to be cleared or restarted on the forwarder so all the available logs can be gobbled up again?

I used this command on the indexer

splunk clean eventdata -index proxylogs -f

Tags (1)
0 Karma

jonathanfalconi
Explorer

had to manually clear out the fishbucket rm -rf all files in fishbucket due to the following error:

"strange - seems I have another issue now! I have tried all the variations of the command and still cannot clean the index always comes back with this error: ERROR: Cleaning eventdata is not supported on this version.
./splunk clean eventdata -index _fishbucket
./splunk clean eventdata"

0 Karma

jonathanfalconi
Explorer

I have cleared out the index on my indexer and the fishbucket on the Universal forwarder but I am still only receiving logs from one particular file in the directory being monitored, the directory has multiple files which should be feeding into the indexer. The tailing message I get is below: INFO TailingProcessor - Archive file

11-23-2012 13:20:22.718 +0000 INFO TailingProcessor - Archive file='/var/opt/proxy/logs/lxnhostp01/access1211231318-x.2x3.1x4.x.log.gz' has stopped changing, will read it now.

Any thoughts?

thanks
Jon

0 Karma

Drainy
Champion

Ah, in that case you will just need to delete the fishbucket manually, use an rm -rf on the var/lib/splunk/fishbucket directory within the forwarder directory. Make a backup first but this should do the job

jonathanfalconi
Explorer

Looks like this command is no longer supported, I have seen one other person with same issue but no solution. Will start new thread "clean eventdata command not supported on UF"

Thanks for your help.

0 Karma

Drainy
Champion

try running ./splunk help clean and see what it says 🙂 The docs seem to match what I've pasted but its clearly not happy.

0 Karma

jonathanfalconi
Explorer

strange - seems I have another issue now! I have tried all the variations of the command and still cannot clean the index always comes back with this error: ERROR: Cleaning eventdata is not supported on this version.

./splunk clean eventdata -index _fishbucket
./splunk clean eventdata

0 Karma

Drainy
Champion

hmm, perhaps ./splunk clean eventdata -index _fishbucket or if not, is there other data you need or could you reindex it all? (depends if this is prod or not really..) You could just run ./splunk clean eventdata (Warning, this deletes everything)

0 Karma

jonathanfalconi
Explorer

I am running version 4.2.4 on Solaris - when I run the command I get he following error:

This action will permanently erase all events from the index '_fishbucket'; it cannot be undone.
Are you sure you want to continue [y/n]? y

ERROR: Cleaning eventdata is not supported on this version.

thanks
Jon

0 Karma

Drainy
Champion

Right, so you need to clear the fishbucket, only a clean all would hit the fishbucket too

0 Karma

Drainy
Champion

What command did you use to clear the indexes? Splunk stores a record of what it has read in something called the fishbucket, these exist on forwarders too so you need to clear them on an indexer (if its reading local files) or a forwarder (if its reading local files on a remote server)

From memory I believe the command is;

./splunk clean eventdata _fishbucket

If you don't have anything else of importance in other indexes or want to do this on a forwarder then you can just do a clean all.

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...