When does the Splunk forwarder empty the /splunkfo...

othersider2 · ‎01-09-2019

I performed a Splunk forwarder spool command to send a log file to Splunk Enterprise. The command made a copy of the log file and placed it into the $SPLUNK_HOME/splunkforwarder/var/spool/splunk directory. The log file was then successfully sent to the Enterprise sever. I was expecting that after the log file was successfully sent, that it would then be deleted from the $SPLUNK_HOME/splunkforwarder/var/spool/splunk directory. But the log file is still there.

Isn't the Splunk forwarder supposed to delete spooled files after a successful send? If so, what must I do to configure this, since it isn't happening out of the box?

bangalorep · ‎01-10-2019

Hello,
You could try this https://answers.splunk.com/answers/294682/the-splunk-homevarspoolsplunk-directory-is-filling.html

MuS · ‎01-09-2019

Hi othersider2,

check splunkd.log of the universal forwarder for error messages related to this file. Most likely a permission issue, and the UF is not able to delete the file.

cheers, MuS

When does the Splunk forwarder empty the /splunkforwarder/var/spool/splunk directory?

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

When does the Splunk forwarder empty the /splunkforwarder/var/spool/splunk directory?

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience