Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Where in Splunk are my log files indexed?

rajendran
New Member
‎06-28-2016 02:35 AM

I am using Splunk 6.0. I configured a log file to be automatically indexed in Splunk by editing inputs.conf. I am able to view the indexed values in Splunk Web, but I want to know the location of where the log file got indexed, because if any data got indexed incorrectly, I want to remove the log file from the location. While doing it manually via DataInputs, I was able to view the log file in DataInputs > Files&Directories. It is easy to remove the data by deleting from there, but I need to do the same during the log file indexing automatically. Please help me to find out this

0 Karma
Reply

splunk_force_as
Path Finder
‎06-28-2016 09:50 AM

So there are few different things to consider:

  1. In terms of where the data gets indexed, by default $SPLUNK_HOME/var/log/splunk directory. See https://answers.splunk.com/answers/418636/where-do-logs-go-when-uploaded-via-splunk-webs-add.html#an...

  2. In terms of deleting the data: for the most part, it isn't recommended that you manually delete indexed data (buckets) because that could cause issues depending on your deployment setup. Splunk employs a retention policy where data is deleted by age (or size). The default is ~ 6 years, but this number is configurable on global and/or index basis. This will need to be configured in the indexes.conf, see : http://docs.splunk.com/Documentation/Splunk/6.0.3/Indexer/Setaretirementandarchivingpolicy. If you have the need to delete data, I recommend that you let the data retire, and re-index the data properly ( consider disk space and licensing.)

  3. What index are you sending your data to? If it's a new index and the data is fairly recent, you could clean the index but keep in mind that ALL data in that index will be deleted. See: http://docs.splunk.com/Documentation/Splunk/6.4.1/Indexer/RemovedatafromSplunk

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...