Solved: Safest way to delete old finalized jobs?

gfoligna0 · ‎08-19-2011

I need to clean, in a safe way, my finalized jobs before they clean up by their own to avoid quota problems. Wherever on the CLI or the GUI, I should be allowed to clean these up. If I could modify the TTL of the finalized jobs to be cleaned up in a shorter amount of time will be my relief.

I've been searching in the Documentation but I couldn't find the resolution.
We're doing a lot of searches and some user quotas are full.

Right now we're deleting files (older than 5') from the dispatch directory every 5 minutes:

*/5 * * * * find /opt/splunk/var/run/splunk/dispatch/ -type d -mmin +5 | xargs /bin/rm -rf

I'll appreciate any help on this.

Thank you all!

Masa · ‎02-10-2012

I know this is too late. But, just in case;

We introduced a new feature to manage dispatch jobs in 4.2.3.

Here is the answer;
http://splunk-base.splunk.com/answers/29551/too-many-search-jobs-found-in-the-dispatch-directory

View solution in original post

Masa · ‎02-10-2012

I know this is too late. But, just in case;

We introduced a new feature to manage dispatch jobs in 4.2.3.

Here is the answer;
http://splunk-base.splunk.com/answers/29551/too-many-search-jobs-found-in-the-dispatch-directory

gfoligna0 · ‎03-22-2012

Cool.

What we're doing actually is deleting files (and directories) older than 5 minutes on the Dispatch Directory every minute.
I don't know if it's the best solution, but it's working for us. (:

Safest way to delete old finalized jobs?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?