We can see splunk logs in /opt/splunk/var/log/splunk...we see logs are divided in 5 parts with 25mb of size.ex: audit.log.5.My q? is are the oldest logs are deleted automatically.we can see recent logs in audit.log. And it gets updated every day.Are the old logs in audit.log.5 are being erased forever?
The events in the log file are being erased forever, yes. However, that data is also accessible in the _audit index. Any user with the admin role can search that index as follows:
index=_audit *
1)are the logs(index=_audit *) can be deleted??Will it acquire a large space.
2)how can i check in CLI.,delete logs if needed because all dat stores in /opt/splunk/....which is in root directory and requires lot of space.