Refine your search:

Can Splunk delete old log files after indexing them?

2

What's the recommended best practice for pruning a directory after Splunk indexes its files? I want to create a "drop box" directory where I can drop files and have Splunk index them, but I don't want the directory to become a management problem.

Can Splunk be configured so that once it reads and successfully indexes a log file, can it also delete the file?

I'm trying to avoid prematurely deleting files before splunk has a chance to index them, but I also want to avoid chewing up disk space due to too many files hanging around.

asked 13 Jan '10, 01:08

Justin%20Grant's gravatar image

Justin Grant
1.5k6739
accept rate: 50%

edited 13 Jan '10, 01:37

5 Answers:
oldestnewestmost voted
4

The batch input mode of Splunk does exactly this: http://www.splunk.com/base/Documentation/latest/admin/MonitorFilesAndDirectories#Why_use_upload_or_batch

You can do this via the web by visiting:

Manager » Data inputs » Files & Directories » Add New

and then selecting either:

  • Upload a local file
  • Index a file on the Splunk server

Or, you can do this at the command line by copying files directly into the sinkhole at:

$SPLUNK_HOME/var/spool/splunk/
link

answered 13 Jan '10, 18:14

Johnvey's gravatar image

Johnvey ♦♦
2.2k1217
accept rate: 58%

2

Is there any way to delete files from a "monitored directory" after Splunk has indexed the file? We have a monitored directory which receives files constantly and continuosly...a file upload or batch load is not practical.

Thanks!

link

answered 19 Jul '11, 11:27

HKing's gravatar image

HKing
311
accept rate: 0%

0

Hi HKing, did you find a way to do this after? I am seeing the same problem in $SPLUNK_HOME/var/spool/splunk and am wondering if we can modify splunk to remove the files once indexed.

link

answered 07 Nov '11, 19:12

brianokelly's gravatar image

brianokelly
201
accept rate: 0%

0

Did we get any solution on this , I too have the similar requirement

link

answered 20 Mar, 23:57

saravanababumr's gravatar image

saravanababumr
211
accept rate: 0%

0

The final answer is, no, Splunk does not have a built-in mechanism for this. You must write your own script to perform cleanup.

link

answered 21 Mar, 08:35

hmkjr's gravatar image

hmkjr
1
accept rate: 0%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×28

Asked: 13 Jan '10, 01:08

Seen: 2,333 times

Last updated: 21 Mar, 08:35

Related questions

Data Input: Monitor a directory for new files and delete when indexed

Monitor a file or directory indexing no longer working

Splunk not indexing modified files

Is there a way to monitor the number of files in the dispatch directory?

Can I continue to delete files on Splunk Free Edition

How to manage indexing rolling log files without duplicating data in the Index

monitor files in /var/log with different source types

Splunk stopped indexing some files

How do I monitor files in a folder as well as the files in all subfolders?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.