Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Where in Splunk are my log files indexed?

rajendran
New Member
‎06-28-2016 02:35 AM

I am using Splunk 6.0. I configured a log file to be automatically indexed in Splunk by editing inputs.conf. I am able to view the indexed values in Splunk Web, but I want to know the location of where the log file got indexed, because if any data got indexed incorrectly, I want to remove the log file from the location. While doing it manually via DataInputs, I was able to view the log file in DataInputs > Files&Directories. It is easy to remove the data by deleting from there, but I need to do the same during the log file indexing automatically. Please help me to find out this

0 Karma
Reply

splunk_force_as
Path Finder
‎06-28-2016 09:50 AM

So there are few different things to consider:

  1. In terms of where the data gets indexed, by default $SPLUNK_HOME/var/log/splunk directory. See https://answers.splunk.com/answers/418636/where-do-logs-go-when-uploaded-via-splunk-webs-add.html#an...

  2. In terms of deleting the data: for the most part, it isn't recommended that you manually delete indexed data (buckets) because that could cause issues depending on your deployment setup. Splunk employs a retention policy where data is deleted by age (or size). The default is ~ 6 years, but this number is configurable on global and/or index basis. This will need to be configured in the indexes.conf, see : http://docs.splunk.com/Documentation/Splunk/6.0.3/Indexer/Setaretirementandarchivingpolicy. If you have the need to delete data, I recommend that you let the data retire, and re-index the data properly ( consider disk space and licensing.)

  3. What index are you sending your data to? If it's a new index and the data is fairly recent, you could clean the index but keep in mind that ALL data in that index will be deleted. See: http://docs.splunk.com/Documentation/Splunk/6.4.1/Indexer/RemovedatafromSplunk

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top