Deployment Architecture

Use btprobe reset to re-index multiple files

MedralaG
Communicator

I have the following files that are being monitored on a server with a universal forwarder.
/var/log/www1/secure.log
/var/log/www1/access.log
/var/log/www2/secure.log
/var/log/www2/access.log

Is there a way to use wildcards to get btprobe to reset and reindex the content of those files.
Keep in mind that the /var/log/ directory has other subfolders that are being monitored that I don't want to reset those, so purging the fishbucket folder is out of question.

0 Karma
1 Solution

woodcock
Esteemed Legend

Even if wildcards worked (there's no indication that they do), it would be too risky to use them; just do this from shell in bash:

for file in /var/log/www1/secure.log /var/log/www1/access.log /var/log/www2/secure.log /var/log/www2/access.log
do
    echo resetting $file...
    $SPLUNK_HOME/bin/splunk cmd btprobe -d  $SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db  --file $file --reset
done

View solution in original post

0 Karma

woodcock
Esteemed Legend

Even if wildcards worked (there's no indication that they do), it would be too risky to use them; just do this from shell in bash:

for file in /var/log/www1/secure.log /var/log/www1/access.log /var/log/www2/secure.log /var/log/www2/access.log
do
    echo resetting $file...
    $SPLUNK_HOME/bin/splunk cmd btprobe -d  $SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db  --file $file --reset
done
0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...