Solved: Use btprobe reset to re-index multiple files

MedralaG · ‎05-27-2017

I have the following files that are being monitored on a server with a universal forwarder.
/var/log/www1/secure.log
/var/log/www1/access.log
/var/log/www2/secure.log
/var/log/www2/access.log

Is there a way to use wildcards to get btprobe to reset and reindex the content of those files.
Keep in mind that the /var/log/ directory has other subfolders that are being monitored that I don't want to reset those, so purging the fishbucket folder is out of question.

woodcock · ‎05-28-2017

Even if wildcards worked (there's no indication that they do), it would be too risky to use them; just do this from shell in bash:

for file in /var/log/www1/secure.log /var/log/www1/access.log /var/log/www2/secure.log /var/log/www2/access.log
do
    echo resetting $file...
    $SPLUNK_HOME/bin/splunk cmd btprobe -d  $SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db  --file $file --reset
done

View solution in original post

woodcock · ‎05-28-2017

Even if wildcards worked (there's no indication that they do), it would be too risky to use them; just do this from shell in bash:

for file in /var/log/www1/secure.log /var/log/www1/access.log /var/log/www2/secure.log /var/log/www2/access.log
do
    echo resetting $file...
    $SPLUNK_HOME/bin/splunk cmd btprobe -d  $SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db  --file $file --reset
done

Use btprobe reset to re-index multiple files

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

Use btprobe reset to re-index multiple files

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I