Solved: How to use batch in inputs.conf file to upload fil...

SplunkDash · ‎06-13-2022

Hello,

I have some use cases where we need to delete files right after those are read/push by UF. How I would do it. There are any ways we may let the UF to do this task using batch in inputs.conf file. Any recommendation would be highly appreciated, thank you!

m_pham · ‎06-14-2022

It should work fine. Since the logs will be deleted, best you double check the file path and index/sourcetype names.

View solution in original post

m_pham · ‎06-14-2022

See the batch stanza configs below:

Use the 'batch' input for large archives of historic data. If you
want to continuously monitor a directory or index small archives, use 'monitor'
(see the MONITOR section). 'batch' reads in the file and indexes it, and then
deletes the file on disk.

[batch://<path>]
* A one-time, destructive input of files in <path>.
* This stanza must include the 'move_policy = sinkhole' setting.
* This input reads and indexes the files, then DELETES THEM IMMEDIATELY.
* For continuous, non-destructive inputs of files, use 'monitor' instead.

https://docs.splunk.com/Documentation/Splunk/latest/Admin/inputsconf#BATCH_.28.22Upload_a_file.22_in...:

SplunkDash · ‎06-14-2022

Hello,

Thank you so much for your response and truly appreciate it.

Do you think following is the typical structure for inputs.conf file using batch and going to work?

[batch:///home/mydatafolder/*.log]

disabled = false

index = myindex

sourcetype = mysourcetpye

move_policy = sinkhole

Your recommendation will be highly appreciated, thank you so much again.

m_pham · ‎06-14-2022

It should work fine. Since the logs will be deleted, best you double check the file path and index/sourcetype names.

How to use batch in inputs.conf file to upload files?

inputs.conf

universal forwarder

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?