Why not just configure the event logs to roll? That's the default state and MSFT best practice.
Splunk doesn't do destructive reads, and I'm not sure that even powershell will let you. A cursory examination suggests this is not something MSFT wants to allow, for obvious audit-ability reasons.
Apologies if that's a non-answer.
Not really, or not by default. Splunk does not, by deliberate intention, delete anything on the source machine (other than logs placed specifically in the batch monitor directory).
In principle, you can write a script to be run by the Splunk forwarder to do anything you want, so it can be done. However, any such script you write will not be integrated with the Splunk file or WinEventLog monitoring systems.
Your question, and environment is a bit unclear. The data is coming from forwarders into the single splunk server (indexer)? If this is the case, then there is no data being "indexed" on the other machines, and hence nothing to delete.
It almost sounds like you would like the original raw data to be deleted? If that is the case splunk does not touch that data at all, in the sense, it only monitors the logs but never changes them or manipulates them.
Hence there is no way to use splunk to delete raw data from your disk.
If i have misunderstood your question you might want to edit it and be a bit more specific..
then i think the best bet would be to 1. install forwarders on all your servers and set them to monitor your logs and send the events to the splunk indexer and 2. set up some saved search that runs every-so-often and alerts you about how many events you have. If you want you could also have a script that runs and perhaps calls to the remote hosts to delete the data. However, you might want to be careful with this as if you delete the logs and for some reason they did not make it into splunk, then you will have data loss..
No I think you understood it fairly well. I am trying to pull the raw event logs from a number of remote machines. The audit logs are set to a small max size (not changeable, at least by me) and as a result are usually full. We want to pull them off of each machine and store them on a single server then delete them.