Sometimes, due to some unavoidable reasons data loss may occur while indexing or partial indexing may take place, then you might want to re-index all your data again into Splunk. Following are the techniques to re-index your data:

While ingesting a data all crc and seekaddress are formed in fishbucket for reindexing data all we need to do remove/delete fishbucket

To delete/remove the fishbucket:

1. Move to the directory /opt/splunk/var/lib/splunk (on the instance forwarding data)

2. Delete/Remove the sub-directory fishbucket

i) #cd $SPLUNK_HOME/var/lib/splunk
ii) #rm -rf fishbucket

restart your splunk instance ($SPLUNK_HOME/bin/splunk restart)

Now, as soon as your files are updated on the application server, the whole contents of your files will be re-indexed into splunk in their corresponding indexes.

The data is reindex again

Re-index data without deleting the fishbucket/re-index contents of any specific file

There may be situations, when you only want to re-index the data for a particular file, then you can use the command given below to reset btprobe (run the command on the splunk instance forwarding data)

btprobe: It queries the fishbucket for checkpoints stored by monitor inputs. Any changes you make to the fishbucket using btprobe takes effect only after a restart.

i)  #cd $SPLUNK_HOME/bin

