![]() Remark : if you are monitoring windows logs (wineventlog) or are using modular inputs, the counters are not in the fishbucket. Or use the |delete command to selectively hide some events.You can empty the index if nothing has to be preserved.Remark : before reindexing you may want to remove the existing data in splunk to avoid duplicates. (ps the source field will be different of course.) Then move or copy the files to be reindex to the folder, they will be detected as new (because the path will be considered in the crc calculation). Using a static string that will force a one time reindexing. If you had a simple comment on the first line it wil reindex itĬhange the crcSalt, create a new input for a new folder, add all the correct sourcetypes, etc. Modify the first line of the files to reindex, by default splunk checks the first 256 chars of a file to differentiate them. splunk add oneshot "/path/to/my/file.log" -sourcetype mysourcetype You also can edit the log file and add a comment on the first line that will force the file to detected as a new file. ![]() Manually reindex each file with the oneshot option, Splunk cmd btprobe -d $SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db -file $FILE -reset Or selectivelly forgot a single file from the fishbucket On a forwarder by removing the folder $SPLUNK_HOME/var/lib/splunk/fishbucket on an indexer splunk clean eventdata -index _fishbucket.That will remove the memory of every files, But it will reindex all. the radical method is to clean the fishbucket index.Now that you have setup your inputs to avoid blastering your instance, you can focus on How to force a splunk instance to reindex a file that has already be indexed. On linux you can couple this with the touch command to change the modtime of a file and trigger the indexing.įor WinEventLogs, you can setup the parameter current_only=1 in nf to exclude the historical logs, and starts only now. It will look at the modtime of the files, example : ignoreOlderThan=7d will index only files touched during the last 7 days. First of all even before reindexing, to configure Splunk to index only recent data, you can use the 2 techniques:įor file monitoring, add the parameter ignoreOlderThan in nf
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |