Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Batch file Input not removing files.

kenoski
Path Finder
‎12-05-2023 05:35 PM

I am attempting to use Splunk to remove the Oracle WebLogic files that are filling up our harddrive.

I have been able to remove other files with a different filename format using the batch command.

But... the following stanza is not working

 

[batch://C:\Oracle\config\domains\csel\servers\...\DefaultAuditRecorder.*.log]

 

The filename format is: DefaultAuditRecorder.############.log

where # is a number

 

Any suggestions?

Labels (2)
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-11-2023 12:55 PM

Read the inputs.spec carefuly 😉

* This stanza must include the 'move_policy = sinkhole' setting.
* This input reads and indexes the files, then DELETES THEM IMMEDIATELY.
0 Karma
Reply

kenoski
Path Finder
‎12-11-2023 02:14 PM

I use the move_policy. I have tried the following, and it acts the same way.

To monitor for log files I have this in inputs.conf

[monitor://C:\Oracle\config\domains\csel\servers\...\logs\*.logs]

I have tried both of the following to batch the archived files.

1st try:

[batch://C:\Oracle\config\domains\csel\servers\...\DefaultAuditRecorder\[0-9]*.log]
move_policy = sinkhole
crcSalt = <SOURCE>

 

2nd try:

[batch://C:\Oracle\config\domains\csel\servers\...\]
whitelist = /DefaultAuditRecorder\.[0-9]+\.log$
move_policy = sinkhole
crcSalt = <SOURCE>

 

I even tried to blacklist the monitor stanza for the files I whitelist in the batch

[monitor://C:\Oracle\config\domains\csel\servers\...\]
blacklist = /DefaultAuditRecorder\.[0-9]+\.log$

Splunk still seems to try and monitor these files, and not batch them.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-11-2023 02:42 PM

1. Did you check

splunk list monitor

and

splunk list inputstatus

2. This might not be related but batch input does not have crcSalt parameter (it makes no sense in batch input context at all).

3. Ok, so you have two separate file inputs covering the same path? That might be the problem.

Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2023 11:18 AM

Does the account running Splunk have permission to delete the files?  Are there any messages in splunkd.log about the files?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kenoski
Path Finder
‎12-11-2023 08:39 AM

There is no problem with removing files from the directory. Other files are being removed using batch.

This appears to be a regular expression processing issue.

SplunkD log shows the watch being put on the path, and processes the stanzas that relate to the files in question.

The file I want to monitor has the filename of DefaultAuditRecorder.log.

The files I want to use batch on have the form of DefaultAduitRecorder.############.log

The automatic Splunk conversion to Regular expression can't differentiate between these tow filename formats, and defaults to monitor.

I have tried several attempts to working on a whitelist regular expression for the monitor and batch, but it still doesn't work.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...