Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I delete old log data past a certain time on an index?

bayman
Path Finder
‎03-21-2017 11:02 AM

We're running out of disk space.

How do I delete old log data past a certain time on an index?

If I set a max index size, what happens when that limit is reached for an index?

How should I rotate logs so old logs are automatically deleted?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎03-21-2017 11:18 AM

You can delete data directly from the file system or use the clean command

$SPLUNK_HOME/bin/splunk clean eventdata -index <index_name>

Note that the delete command will not delete data from the file system, it will only hide it in Splunk web

http://docs.splunk.com/Documentation/Splunk/6.1.4/Indexer/RemovedatafromSplunk

If you set max index size, then the oldest data that is past that max size will either be deleted or archived if you specified a frozen path when creating your index.

Splunk buckets will roll from hot --> warm --> cold --> frozen.. I believe by default they will roll to frozen every 6 years OR until they reach the max index size

http://docs.splunk.com/Documentation/Splunk/6.5.2/Indexer/HowSplunkstoresindexes

View solution in original post

Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎03-21-2017 11:18 AM

You can delete data directly from the file system or use the clean command

$SPLUNK_HOME/bin/splunk clean eventdata -index <index_name>

Note that the delete command will not delete data from the file system, it will only hide it in Splunk web

http://docs.splunk.com/Documentation/Splunk/6.1.4/Indexer/RemovedatafromSplunk

If you set max index size, then the oldest data that is past that max size will either be deleted or archived if you specified a frozen path when creating your index.

Splunk buckets will roll from hot --> warm --> cold --> frozen.. I believe by default they will roll to frozen every 6 years OR until they reach the max index size

http://docs.splunk.com/Documentation/Splunk/6.5.2/Indexer/HowSplunkstoresindexes

Reply
Solved! Jump to solution

bayman
Path Finder
‎03-21-2017 11:24 AM

/opt/splunk/var/lib/splunk folder size is 200G of data.
I'm assuming I manage this folder size via the Index size limit?

/var/log/splunk folder size is 90G of data
How should I manage this folder size? Is it safe to delete these *.log files in this folder?

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-21-2017 11:30 AM

Yes correct, by default the max index size will be 500GB. Go to Settings>Index and find your index and modify the size limits

I'm assuming var/log/splunk is on a separate server which is being forwarded to Splunk? If so then yeah you can delete those log files as it's already been ingested by Splunk (Check before removing! A better strategy would be to zip them or move to another drive if they are important). As for log rotation, that's more of a sys-admin task rather than a Splunk task. You will either need to grow the drive or roll your logs on a regular basis

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...