https://community.splunk.com/t5/Getting-Data-In/Why-is-batch-processing-not-removing-files-after-indexing-them/m-p/217856#M42860 <P>I have an app that is not removing/deleting the files after consuming them. They are indexed appropriately, but just not deleted afterwards.</P> <P>inputs.conf</P> <PRE><CODE>[batch:///opt/splunk/etc/apps/my-special-app/pickup/*.json] index = test sourcetype = nessus_json move_policy = sinkhole </CODE></PRE> <P>I have tested this on a second Splunk box and the exact same app will correctly remove the files after indexing them. I can't tell where the issue may be on this main Splunk box, however. Any suggestions?</P> <P>On Splunk v6.2.1. This worked a month or so ago. I'd rather figure out the cause before moving to upgrade the Splunk instance.</P> Tue, 03 Nov 2015 17:07:20 GMT jizzmaster 2015-11-03T17:07:20Z https://community.splunk.com/t5/Getting-Data-In/Why-is-batch-processing-not-removing-files-after-indexing-them/m-p/217856#M42860 <P>I have an app that is not removing/deleting the files after consuming them. They are indexed appropriately, but just not deleted afterwards.</P> <P>inputs.conf</P> <PRE><CODE>[batch:///opt/splunk/etc/apps/my-special-app/pickup/*.json] index = test sourcetype = nessus_json move_policy = sinkhole </CODE></PRE> <P>I have tested this on a second Splunk box and the exact same app will correctly remove the files after indexing them. I can't tell where the issue may be on this main Splunk box, however. Any suggestions?</P> <P>On Splunk v6.2.1. This worked a month or so ago. I'd rather figure out the cause before moving to upgrade the Splunk instance.</P> Tue, 03 Nov 2015 17:07:20 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-batch-processing-not-removing-files-after-indexing-them/m-p/217856#M42860 jizzmaster 2015-11-03T17:07:20Z https://community.splunk.com/t5/Getting-Data-In/Why-is-batch-processing-not-removing-files-after-indexing-them/m-p/217857#M42861 <P>Sounds like the permissions on the filesystem got screwed up. Check to make sure the account splunk is running as can actually delete the files.</P> Thu, 26 Oct 2017 21:39:24 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-batch-processing-not-removing-files-after-indexing-them/m-p/217857#M42861 samhays 2017-10-26T21:39:24Z https://community.splunk.com/t5/Getting-Data-In/Why-is-batch-processing-not-removing-files-after-indexing-them/m-p/217858#M42862 <P>I forced a permissions issue with a file such that the Splunk user had read, not write permissions to a file that was configured as a batch input. It resulted in this line in <CODE>splunkd.log</CODE>:</P> <PRE><CODE>11-24-2017 22:49:10.062 +0000 ERROR TailReader - Unable to remove sinkhole file: path=/tmp/batch_del_fail.log, errno=Operation not permitted </CODE></PRE> <P>Can you look for a similar message to verify if it is a simple permissions issue?</P> Fri, 24 Nov 2017 22:52:50 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-batch-processing-not-removing-files-after-indexing-them/m-p/217858#M42862 micahkemp 2017-11-24T22:52:50Z