Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can splunk delete remote event logs?

asmercer2004
Explorer
‎10-11-2010 06:04 PM

I am using splunk to pull the event log data off several machines on a domain and archive them on a single server. Is there a way that I have splunk automatically delete/truncate remote event logs from the remote machines after I archive them?

Tags (2)
0 Karma
Reply

cervelli
Splunk Employee
Splunk Employee
‎10-13-2010 08:02 PM

Why not just configure the event logs to roll? That's the default state and MSFT best practice.

Splunk doesn't do destructive reads, and I'm not sure that even powershell will let you. A cursory examination suggests this is not something MSFT wants to allow, for obvious audit-ability reasons.

Apologies if that's a non-answer.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-12-2010 05:50 AM

Not really, or not by default. Splunk does not, by deliberate intention, delete anything on the source machine (other than logs placed specifically in the batch monitor directory).

In principle, you can write a script to be run by the Splunk forwarder to do anything you want, so it can be done. However, any such script you write will not be integrated with the Splunk file or WinEventLog monitoring systems.

Reply

Genti
Splunk Employee
Splunk Employee
‎10-11-2010 06:25 PM

Your question, and environment is a bit unclear. The data is coming from forwarders into the single splunk server (indexer)? If this is the case, then there is no data being "indexed" on the other machines, and hence nothing to delete.
It almost sounds like you would like the original raw data to be deleted? If that is the case splunk does not touch that data at all, in the sense, it only monitors the logs but never changes them or manipulates them.

Hence there is no way to use splunk to delete raw data from your disk.
If i have misunderstood your question you might want to edit it and be a bit more specific..

0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎10-11-2010 08:16 PM

then i think the best bet would be to 1. install forwarders on all your servers and set them to monitor your logs and send the events to the splunk indexer and 2. set up some saved search that runs every-so-often and alerts you about how many events you have. If you want you could also have a script that runs and perhaps calls to the remote hosts to delete the data. However, you might want to be careful with this as if you delete the logs and for some reason they did not make it into splunk, then you will have data loss..

0 Karma
Reply

asmercer2004
Explorer
‎10-11-2010 06:28 PM

No I think you understood it fairly well. I am trying to pull the raw event logs from a number of remote machines. The audit logs are set to a small max size (not changeable, at least by me) and as a result are usually full. We want to pull them off of each machine and store them on a single server then delete them.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...