topic Re: script in Splunk Enterprise

script to rotate log files ?

SN1 — Wed, 03 Dec 2025 14:23:42 GMT

I want to create a script for log rotation in splunk , which makes a zip file of last 3 days (individual zip files) ,so every new day it will make a new zip file and if the count of zip files is greater than 3 then it should delete oldest zip file so that count of zip file remains 3 only. because we only want zip file of last 3 days only. There is a main file which is storing logs everyday (file name: firewall) and the script will be schedule like 1 am everyday.

Re: script

ITWhisperer — Wed, 03 Dec 2025 05:56:43 GMT

This isn't really a Splunk question, it is a scripting question. Which scripting language do you want to use (there are many to choose from)?

Re: script

thahir — Wed, 03 Dec 2025 08:24:13 GMT

@SN1 try the below log rotation script, modify the file log file name based on yours and setup the cron schedule based on your requirement.

#!/bin/bash
# Compress files >1 day old
find "<path of log file location> -iname "firewall-*.log" -type f -mtime +1 -exec gzip {} \;

# Delete .gz files >3 days old
find <path of log file location> -name "firewall-*.log.gz" -type f -mtime +3 -exec rm {} \;

let me know if you are facing any issues.

Re: script

PickleRick — Wed, 03 Dec 2025 19:57:47 GMT

Please don't share "ready to use" scripts based on serious assumptions without at least explaining what those assumptions are.

In here your quite strong assumption is that there would be no files matching firewall-*.log.gz coming from other sources (possibly in other subdirectories.

Also - you're mixing -name with -iname.