The ability for Splunk to start where it left off is a great feature. However, sometimes that feature hurts us.
Scenario: Indexer detects an error in an application that is located in Forwarder_123's logs. The Indexer kicks off a bash script that shuts down Splunk on Forwarder_123. (we shut it down because the application's error could exceed our license max in a matter of minutes) To fix the application, we restart the Application Server, so after the App Server restarts, it may be 30 minutes from the initial error was found. If we restart Splunk normally on Forwarder_123, all of the data that we do not want will be sent to the Indexer, which we do not want.
So, is there a way to tell the Splunk forwarder to start reading log entries from the last timestamp, instead of from the last location it remembers reading from?
I have tried the following command, but it does not appear to be what I want:
/opt/splunk/server/splunk/bin/splunk clean eventdata -f
The forwarder does NOT index any data. It simply sends the data straight to the Indexer.
Thanks,
Sean
... View more