Monitoring Splunk

File cleanup on monitored directory question

xlancealotx
New Member

I ran out of space as I am using the free version on an old server for some basic log monitoring. I deleted some old stuff, but can't find an answer after looking here and on the old forum.

If I am monitoring a directory (/var/xlogs). Now xlogs is a basic folder that 2 webservers copy files hourly over to. Those are now months old. If I delete files from yesterday back, and they have been indexed, I assume the data is still there, right?

Also, I am looking at the earliest and latest date. The latest shows 7/25/11 as it ran out of space, so that's fixed and there are new files there. How do I see what's not indexed yet as well as what is (hoping I can delete the files that are indexed).

Tnx

Tags (2)
0 Karma
1 Solution

Johnvey
Contributor
  1. Yes, once data has been indexed by Splunk, you do not need the original files.
  2. By looking at the main dashboard, the "sources" list will show you all of the files that Splunk has indexed. Inspect the 'latest time' column to determine where Splunk is in its indexing. (Files under a gigabyte generally only take at most a few minutes to index; it completely depends on your hardware).

View solution in original post

0 Karma

dcampill
New Member

How to automatize the deletion of files using the Splunk Forwarder ?

David

0 Karma

atiu
New Member

Just to make sure I understand this correctly, if I delete a file specified as a data input that has already been completely indexed, it is okay?

I have some rather large files of old apache logs that have been indexed. I need to delete them to free up some space on the Splunk server. Just want to make sure that I won't lose the indexed/searchable data associated with these files.

Thanks.

0 Karma

Johnvey
Contributor
  1. Yes, once data has been indexed by Splunk, you do not need the original files.
  2. By looking at the main dashboard, the "sources" list will show you all of the files that Splunk has indexed. Inspect the 'latest time' column to determine where Splunk is in its indexing. (Files under a gigabyte generally only take at most a few minutes to index; it completely depends on your hardware).
0 Karma

xlancealotx
New Member

Cool, thought so just wanted to confirm. Thanks for both.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...