Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

File cleanup on monitored directory question

xlancealotx
New Member
‎08-03-2011 11:16 AM

I ran out of space as I am using the free version on an old server for some basic log monitoring. I deleted some old stuff, but can't find an answer after looking here and on the old forum.

If I am monitoring a directory (/var/xlogs). Now xlogs is a basic folder that 2 webservers copy files hourly over to. Those are now months old. If I delete files from yesterday back, and they have been indexed, I assume the data is still there, right?

Also, I am looking at the earliest and latest date. The latest shows 7/25/11 as it ran out of space, so that's fixed and there are new files there. How do I see what's not indexed yet as well as what is (hoping I can delete the files that are indexed).

Tnx

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Johnvey
Contributor
‎08-03-2011 12:11 PM
  1. Yes, once data has been indexed by Splunk, you do not need the original files.
  2. By looking at the main dashboard, the "sources" list will show you all of the files that Splunk has indexed. Inspect the 'latest time' column to determine where Splunk is in its indexing. (Files under a gigabyte generally only take at most a few minutes to index; it completely depends on your hardware).

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dcampill
New Member
‎03-25-2013 07:29 AM

How to automatize the deletion of files using the Splunk Forwarder ?

David

0 Karma
Reply
Solved! Jump to solution

atiu
New Member
‎09-19-2011 02:31 PM

Just to make sure I understand this correctly, if I delete a file specified as a data input that has already been completely indexed, it is okay?

I have some rather large files of old apache logs that have been indexed. I need to delete them to free up some space on the Splunk server. Just want to make sure that I won't lose the indexed/searchable data associated with these files.

Thanks.

0 Karma
Reply
Solved! Jump to solution
Solution

Johnvey
Contributor
‎08-03-2011 12:11 PM
  1. Yes, once data has been indexed by Splunk, you do not need the original files.
  2. By looking at the main dashboard, the "sources" list will show you all of the files that Splunk has indexed. Inspect the 'latest time' column to determine where Splunk is in its indexing. (Files under a gigabyte generally only take at most a few minutes to index; it completely depends on your hardware).
0 Karma
Reply
Solved! Jump to solution

xlancealotx
New Member
‎08-04-2011 07:47 AM

Cool, thought so just wanted to confirm. Thanks for both.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...