Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What are ways to clean up log files which are already indexed?

rajgowd1
Communicator
‎11-21-2016 09:12 AM

Hi,
we have a forwarder installed in different VM's and have log files like 2016-11-01 to 2016-11-21 and all them are indexed.

every month's end, i need to clean up logs from date 01 to 15.
how can i achieve this in Splunk? do we need write a custom script and configure cronjob in Splunk machine?

it would be great, if you provide any different thoughts to achieve this.

0 Karma
Reply

vincenteous
Communicator
‎11-21-2016 10:52 AM

Hi rajgowd1,

I believe the best Splunk can offer by default is using [batch://] instead of [monitor://] to immediately destroy the original log file after indexing. Based on your requirement, a custom script with cronjob will be the most suitable.

0 Karma
Reply

rajgowd1
Communicator
‎11-21-2016 11:08 AM

Hi,
thank you.can you please provide steps to implement using [batch://] option.

0 Karma
Reply

vincenteous
Communicator
‎11-21-2016 07:20 PM

Hi,

Sure, I've taken this from admin guide:

[batch:///path/to/log/file]
sourcetype = my_sourcetype
index = my_index
recursive = false
move_policy = sinkhole

Remember to add "move_policy = sinkhole".

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...