Archive
Highlighted

File cleanup on monitored directory question

New Member

I ran out of space as I am using the free version on an old server for some basic log monitoring. I deleted some old stuff, but can't find an answer after looking here and on the old forum.

If I am monitoring a directory (/var/xlogs). Now xlogs is a basic folder that 2 webservers copy files hourly over to. Those are now months old. If I delete files from yesterday back, and they have been indexed, I assume the data is still there, right?

Also, I am looking at the earliest and latest date. The latest shows 7/25/11 as it ran out of space, so that's fixed and there are new files there. How do I see what's not indexed yet as well as what is (hoping I can delete the files that are indexed).

Tnx

Tags (2)
0 Karma
Highlighted

Re: File cleanup on monitored directory question

Contributor
  1. Yes, once data has been indexed by Splunk, you do not need the original files.
  2. By looking at the main dashboard, the "sources" list will show you all of the files that Splunk has indexed. Inspect the 'latest time' column to determine where Splunk is in its indexing. (Files under a gigabyte generally only take at most a few minutes to index; it completely depends on your hardware).

View solution in original post

0 Karma
Highlighted

Re: File cleanup on monitored directory question

New Member

Cool, thought so just wanted to confirm. Thanks for both.

0 Karma
Highlighted

Re: File cleanup on monitored directory question

New Member

Just to make sure I understand this correctly, if I delete a file specified as a data input that has already been completely indexed, it is okay?

I have some rather large files of old apache logs that have been indexed. I need to delete them to free up some space on the Splunk server. Just want to make sure that I won't lose the indexed/searchable data associated with these files.

Thanks.

0 Karma
Highlighted

Re: File cleanup on monitored directory question

New Member

How to automatize the deletion of files using the Splunk Forwarder ?

David

0 Karma