Installation of Splunk again and again.

Question

Dear All,

I am new to Splunk, So while doing changes in input.conf or props.conf etc. the changes are not taking place unless and untill. I reinstall the splunk. Is there any other method ?

Your help is appreciated..

Accepted Answer

0

Hello. How about it? (using CLI)

Stop Splunk:

./splunk stop

Remove unnecessary data from indexes: (This example removes all data from all indexes.)

./splunk clean all -f

Restart Splunk:

./splunk restart

link

answered 21 Feb '11, 07:42

Hajime
96●3
accept rate: 44%

Thank you very much

(22 Feb '11, 07:15) msona

Answer 2

2

You can pull in changes to props.conf with the not-so-intuitive search command (as admin):

* | extract reload=true

I think you only need to search a short time-window (like 5 minutes) for this to cause props.conf to be reloaded.

link

answered 18 Feb '11, 15:43

rotten
266●8
accept rate: 17%

its short time data like 1 day. But Can splunk changes the data which was already indexed before ?? after changes in props.conf. For example: Splunk taking some unnesessary field values from csv header. I wanna remove that. I am doing changes in conf files but changes taking place after reinstall the splunk.

(21 Feb '11, 02:40) msona

Once the data is indexed it is written in stone. Re-reading the props.conf applies to future events.

(21 Feb '11, 13:39) rotten

Answer 3

0

Have you tried just restarting splunk?

$SPLUNK_HOME$/bin> splunk resart

link

answered 18 Feb '11, 11:10

vaijpc
176●1●1●9
accept rate: 33%

yes, tried but not working. I think the problem is, splunk already index the fields and can not delete the indexed data, if I change somthing input.conf or props.conf

(21 Feb '11, 02:13) msona

Answer 4

As "rotten" mentioned, once the data has been indexed, it cannot be changed. However, some things are not stored in the index. Those things can be changed as you wish. Below are the basics; look in the documentation for more details.

Changes to inputs.conf change how all new data will be indexed. These changes do not affect data that has already been indexed. If you want these changes to apply to all data, you will need to use the splunk clean command, as was shown in one of the other answers.

Changes to props.conf may change how data is indexed:

Setting the source, sourcetype or host - these affect how the data is indexed. Therefore, this is the same as changes to inputs.conf.
Defining field extractions - field definitions are not indexed; fields are built during the search process. These changes do not require that you restart Splunk. Any changes that you make to field extractions will apply to all data, regardless of when it was indexed. (BTW, you can do "index time field extractions" but don't. Use the normal, search-time field extractions - this is what Splunk recommends.)

If you are new to Splunk, I suggest that you use the web interface (the Splunk Manager) to set up your inputs, and the interactive field extractor to set up your fields. One of the nice things about using the Splunk web interface is that it will tell you if you need to restart Splunk.

Installation of Splunk again and again.

Follow this question

Splunk Resources

Related questions