I have this file path source specified in the main index that i want to re-index everything collected into a new index that I have created.
Switched over the indexing of new data from the main index to new index. But noticed that old data doesnt get indexed as Splunk dont do duplicate indexing.
Tried doing bt probe to force reindexing which doesnt work which i proceeded to use the | delete command to remove all data from file path source in the new index. Great, it's all cleaned up. (should have made sure the bt probe had worked 😞 )
NO it was not. i foolishly went to use the one shot command in an attempt to re-index all data from old index to new index.
Now when i do a search in the new index, i am seeing different results and event count as the old index. When the same query gets run on both indexes now, the results that came out is different.
I attempted to run the | delete command again in the new index, however it returns with zero events being deleted.
Now the new index has all the data but event count and search query are still different from the old index.
I have some other event log source in the new index, so I am unable to just delete the whole index.
Could i get some help on how i can just force delete all data from only the file path source in the new index? and from there can i reindex the exact same indexed data as the old index? I do not mind losing the indexing of new data in the time being.
Thank you in advance!
... View more