I would like to force the re-indexing of events in a local Windows Event Log channel, let's say "Security". I have tried to clean the fishbucket but it had no effect on the Windows Event Log events. How can I do this?
asked 01 Sep '11, 11:34
Splunk keeps track of what was read from Windows Event Log channel in checkpoint files. These files are "bookmark" flat text files that live in
Contents of Security_checkpoint :
In order to force the re-indexing of all available events for a given channel, one simply needs to delete the corresponding checkpoint file and restart splunkd. It is possible to fiddle with the RecordId field to re-index from a given event number, but this is usually harder to figure out.