Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

File cleanup on monitored directory question

xlancealotx
New Member
‎08-03-2011 11:16 AM

I ran out of space as I am using the free version on an old server for some basic log monitoring. I deleted some old stuff, but can't find an answer after looking here and on the old forum.

If I am monitoring a directory (/var/xlogs). Now xlogs is a basic folder that 2 webservers copy files hourly over to. Those are now months old. If I delete files from yesterday back, and they have been indexed, I assume the data is still there, right?

Also, I am looking at the earliest and latest date. The latest shows 7/25/11 as it ran out of space, so that's fixed and there are new files there. How do I see what's not indexed yet as well as what is (hoping I can delete the files that are indexed).

Tnx

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Johnvey
Contributor
‎08-03-2011 12:11 PM
  1. Yes, once data has been indexed by Splunk, you do not need the original files.
  2. By looking at the main dashboard, the "sources" list will show you all of the files that Splunk has indexed. Inspect the 'latest time' column to determine where Splunk is in its indexing. (Files under a gigabyte generally only take at most a few minutes to index; it completely depends on your hardware).

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dcampill
New Member
‎03-25-2013 07:29 AM

How to automatize the deletion of files using the Splunk Forwarder ?

David

0 Karma
Reply
Solved! Jump to solution

atiu
New Member
‎09-19-2011 02:31 PM

Just to make sure I understand this correctly, if I delete a file specified as a data input that has already been completely indexed, it is okay?

I have some rather large files of old apache logs that have been indexed. I need to delete them to free up some space on the Splunk server. Just want to make sure that I won't lose the indexed/searchable data associated with these files.

Thanks.

0 Karma
Reply
Solved! Jump to solution
Solution

Johnvey
Contributor
‎08-03-2011 12:11 PM
  1. Yes, once data has been indexed by Splunk, you do not need the original files.
  2. By looking at the main dashboard, the "sources" list will show you all of the files that Splunk has indexed. Inspect the 'latest time' column to determine where Splunk is in its indexing. (Files under a gigabyte generally only take at most a few minutes to index; it completely depends on your hardware).
0 Karma
Reply
Solved! Jump to solution

xlancealotx
New Member
‎08-04-2011 07:47 AM

Cool, thought so just wanted to confirm. Thanks for both.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...