Re-index data into Splunk

Sometimes, due to some unavoidable reasons data loss may occur while indexing or partial indexing may take place, then you might want to re-index all your data again into Splunk. Following are the techniques to re-index your data:

While ingesting a data all crc and seekaddress are formed in fishbucket for reindexing data all we need to do remove/delete fishbucket

To delete/remove the fishbucket:

1. Move to the directory /opt/splunk/var/lib/splunk (on the instance forwarding data)

2. Delete/Remove the sub-directory fishbucket

i) #cd $SPLUNK_HOME/var/lib/splunk
ii) #rm -rf fishbucket

restart your splunk instance ($SPLUNK_HOME/bin/splunk restart)

Now, as soon as your files are updated on the application server, the whole contents of your files will be re-indexed into splunk in their corresponding indexes.

The data is reindex again

Re-index data without deleting the fishbucket/re-index contents of any specific file

There may be situations, when you only want to re-index the data for a particular file, then you can use the command given below to reset btprobe (run the command on the splunk instance forwarding data)

btprobe: It queries the fishbucket for checkpoints stored by monitor inputs. Any changes you make to the fishbucket using btprobe takes effect only after a restart.

i)  #cd $SPLUNK_HOME/bin
ii) #./splunk stop
iii)#./splunk cmd btprobe -d $SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db
--file <File Path> --reset
iv) #./splunk start

I hope you like this blog if you are still facing issue regarding this topic feel free to ask doubts in the comment section below and don’t forget to follow our more Splunk blogs on Avotrix,
happy Splunking >