Getting Data In

Can you auto remove CSV files after indexing?

jiaqya
Builder

Is there a configuration in Splunk where it can remove/move a CSV file after it has been indexed? so it does not show as active in the configured data input folder for being scanned as a valid file..( since its already indexed )

John.

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi jiaqya,

you are looking for the [batch://...] stanza in inputs.conf, here are the docs http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#BATCH_.28.22Upload_a_file.22_in_...

[batch://<path>]
* A one-time, destructive input of files in <path>.
* For continuous, non-destructive inputs of files, use 'monitor' instead.

# Additional settings:

move_policy = sinkhole
* IMPORTANT: This setting is required. You *must* include
  "move_policy = sinkhole" when you define batch inputs.
* This setting causes the input to load the file destructively.

Hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi jiaqya,

you are looking for the [batch://...] stanza in inputs.conf, here are the docs http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#BATCH_.28.22Upload_a_file.22_in_...

[batch://<path>]
* A one-time, destructive input of files in <path>.
* For continuous, non-destructive inputs of files, use 'monitor' instead.

# Additional settings:

move_policy = sinkhole
* IMPORTANT: This setting is required. You *must* include
  "move_policy = sinkhole" when you define batch inputs.
* This setting causes the input to load the file destructively.

Hope this helps ...

cheers, MuS

deepashri_123
Motivator

Hey@MuS,

What permission does the file require for destructive input?

0 Karma

MuS
SplunkTrust
SplunkTrust

If on nix you need write (+w) permissions, and parent directory should be accessible (+x) to the user which is you want to have delete permission.

If on Windows ... ¯\_(ツ)_/¯ sorry cannot help here, but I'm sure you will find something asking google.

cheers, MuS

jiaqya
Builder

Mus, Thanks, thats mostly what i want. But , is there an option to delete only beyond 7 days or 'n' number of days , so at least i retain few recent files...

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Introducing ITSI 5.0: Unified Visibility and Actionable Insights

Introducing ITSI 5.0: Unified Visibility and Actionable Insights Tuesday, July 21, 2026  |  10:00AM PT / ...

Inside Splunk Agent Observability: Understanding Agent Behavior, Tokens & Costs

Inside Splunk Agent Observability:Understanding Agent Behavior, Tokens & Costs Thursday, August 06, ...

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...