Getting Data In

Can we delete the Splunk internal log files which are running in the path /opt/splunk/var/log/splunk?


We have a storage outage in one of our client's Splunk servers. Can we delete the internal logs?

0 Karma


Hi kaushikkatta03, you can probably delete any of the rotated logs (those that end with .1 , .2 etc.). If the environment is functioning correctly, you should expect those logs to already be indexed in Splunk, and so will be available there.

If possible, you should tarball the logs up and move them to some other area where you have enough space. With that being said, deleting the rotated logs won't have any impact on the system's performance, and so you should be able to do that.

Please let me know if this answers your question!

0 Karma

Ultra Champion


-rw-------. 1 splnkprd dce 25000131 Apr 13 08:06 metrics.log.2
-rw-------. 1 splnkprd dce 25000228 Apr 13 10:29 audit.log.1
-rw-------. 1 splnkprd dce 25000250 Apr 13 13:40 splunkd_access.log.1
-rw-------. 1 splnkprd dce 25000472 Apr 13 18:10 splunkd_ui_access.log.1
-rw-------. 1 splnkprd dce 25000123 Apr 13 21:15 metrics.log.1

They are probably very safe to delete.

0 Karma