Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What are ways to clean up log files which are already indexed?

rajgowd1
Communicator
‎11-21-2016 09:12 AM

Hi,
we have a forwarder installed in different VM's and have log files like 2016-11-01 to 2016-11-21 and all them are indexed.

every month's end, i need to clean up logs from date 01 to 15.
how can i achieve this in Splunk? do we need write a custom script and configure cronjob in Splunk machine?

it would be great, if you provide any different thoughts to achieve this.

0 Karma
Reply

vincenteous
Communicator
‎11-21-2016 10:52 AM

Hi rajgowd1,

I believe the best Splunk can offer by default is using [batch://] instead of [monitor://] to immediately destroy the original log file after indexing. Based on your requirement, a custom script with cronjob will be the most suitable.

0 Karma
Reply

rajgowd1
Communicator
‎11-21-2016 11:08 AM

Hi,
thank you.can you please provide steps to implement using [batch://] option.

0 Karma
Reply

vincenteous
Communicator
‎11-21-2016 07:20 PM

Hi,

Sure, I've taken this from admin guide:

[batch:///path/to/log/file]
sourcetype = my_sourcetype
index = my_index
recursive = false
move_policy = sinkhole

Remember to add "move_policy = sinkhole".

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...