dear all,
the problem solved after restarted splunk. thanks
Hi tedfong,
The delete command does not delete events, it just hides event from being shown in a search. See the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Delete
To re-index your file you must first clean the fishbucket, this is where Splunk keeps track of the indexed files, see the docs for more detail http://docs.splunk.com/Documentation/Splunk/6.2.1/Troubleshooting/CommandlinetoolsforusewithSupport#... to clean only one or more files.
If you can remove everything that was indexed until now run this command
$SPLUNK_HOME/bin/splunk clean all
Cheers, MuS
I got the error like below but it is not the last one. I am not able to index other file. It stopped at the last line
12-30-2014 17:33:44.394 +0800 ERROR ApplicationUpdater - Error checking for update, URL=/api/apps:resolve/checkforupgrade: Connect to=https://apps.splunk.com timed out; exceeded 10sec
12-30-2014 17:34:11.048 +0800 INFO DatabaseDirectoryManager - Writing a bucket manifest in hotWarmPath='D:\Program Files\Splunk\var\lib\splunk_internaldb\db'. Reason='Updating manifest: bucketUpdates=1'
12-30-2014 17:34:11.095 +0800 INFO DatabaseDirectoryManager - Writing a bucket manifest in hotWarmPath='D:\Program Files\Splunk\var\lib\splunk_introspection\db'. Reason='Updating manifest: bucketUpdates=1'
12-30-2014 17:34:12.048 +0800 INFO DatabaseDirectoryManager - Writing a bucket manifest in hotWarmPath='D:\Program Files\Splunk\var\lib\splunk\audit\db'. Reason='Updating manifest: bucketUpdates=1'
12-30-2014 17:36:56.150 +0800 INFO WatchedFile - Resetting fd to re-extract header.
12-30-2014 17:36:56.150 +0800 INFO BatchReader - Removed from queue file='E:\SPLUNK\CWS\INBOX\test\SIT\cws_app_log_sit2\20141215cws_app_log_sit1.csv'.
I found the below error from the splunk log and try to fix it by by adding crcSalt as below. But seems its not work.
12-30-2014 15:24:31.493 +0800 ERROR TailingProcessor - File will not be read, seekptr checksum did not match (file=E:\SPLUNK\CWS\INBOX\test\SIT\cws_a\csms_20141214_17_HKX35A.log). Last time we saw this initcrc, filename was different. You may wish to use a CRC salt on this source. Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info.
<<<<<<<<
[monitor://E:\SPLUNK\CWS\INBOX\test\SIT\cws_a\*.log]
disabled = false
followTail = 0
sourcetype = CWS_LOG_SIT3
index = main
crcSalt =
If you want to use crcSalt it should look like this:
crcSalt = <SOURCE>