Move indexed file!

erick_costa — Wed, 08 Jan 2014 21:26:14 GMT

How to do to move files indexed by splunk?

[monitor:///var/log/teste/teste.log]

Re: Move indexed file!

Lucas_K — Thu, 09 Jan 2014 02:54:46 GMT

I assume your talking about the source log files?

It all depends on what you are trying to do and how your logs are generated.
Are they rolling, appended to or created freshly each time? That would determine what sort of input you should be using.

As you are using a monitor statement there are no parameters to do anything with the file once it has been read, it just monitors (ie. reads) the file for new events. It is a non-destructive process.

If your looking to delete the file once it is read they you need to look at using a different type of input stanza that has a move_policy option such as batch ( http://docs.splunk.com/Documentation/Splunk/6.0.1/admin/inputsconf ).

move_policy = sinkhole
IMPORTANT: This attribute/value pair is required. You must include "move_policy = sinkhole" when defining batch inputs.

This loads the file destructively.

Do not use the batch input type for files you do not want to consume destructively.

As long as this is set, Splunk won't keep track of indexed files. Without the "move_policy = sinkhole" setting, it won't load the files destructively and will keep a track of them.

Normally you would use that for uniquely logs that are placed into your filesystem by another process ie. ftp-ed in etc etc.

Re: Move indexed file!

erick_costa — Thu, 09 Jan 2014 14:26:09 GMT

I want to move to another folder!

eg. \backup\logs\

Re: Move indexed file!

erick_costa — Thu, 09 Jan 2014 14:26:58 GMT

I want to move to another folder!

eg. \backup\logs\

topic Re: Move indexed file! in Getting Data In

Move indexed file!

Re: Move indexed file!

Re: Move indexed file!

Re: Move indexed file!