I ran out of space as I am using the free version on an old server for some basic log monitoring. I deleted some old stuff, but can't find an answer after looking here and on the old forum.
If I am monitoring a directory (/var/xlogs). Now xlogs is a basic folder that 2 webservers copy files hourly over to. Those are now months old. If I delete files from yesterday back, and they have been indexed, I assume the data is still there, right?
Also, I am looking at the earliest and latest date. The latest shows 7/25/11 as it ran out of space, so that's fixed and there are new files there. How do I see what's not indexed yet as well as what is (hoping I can delete the files that are indexed).
Just to make sure I understand this correctly, if I delete a file specified as a data input that has already been completely indexed, it is okay?
I have some rather large files of old apache logs that have been indexed. I need to delete them to free up some space on the Splunk server. Just want to make sure that I won't lose the indexed/searchable data associated with these files.