When does the Splunk forwarder empty the /splunkfo...

othersider2 · ‎01-09-2019

I performed a Splunk forwarder spool command to send a log file to Splunk Enterprise. The command made a copy of the log file and placed it into the $SPLUNK_HOME/splunkforwarder/var/spool/splunk directory. The log file was then successfully sent to the Enterprise sever. I was expecting that after the log file was successfully sent, that it would then be deleted from the $SPLUNK_HOME/splunkforwarder/var/spool/splunk directory. But the log file is still there.

Isn't the Splunk forwarder supposed to delete spooled files after a successful send? If so, what must I do to configure this, since it isn't happening out of the box?

bangalorep · ‎01-10-2019

Hello,
You could try this https://answers.splunk.com/answers/294682/the-splunk-homevarspoolsplunk-directory-is-filling.html

MuS · ‎01-09-2019

Hi othersider2,

check splunkd.log of the universal forwarder for error messages related to this file. Most likely a permission issue, and the UF is not able to delete the file.

cheers, MuS

When does the Splunk forwarder empty the /splunkforwarder/var/spool/splunk directory?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation