I'm trying to change sinkhole directory and configure it so that it will delete files only after 5 days or so. Is there a way to achieve this?
Hi giovere
you can setup a sinkhole with the batch stanza, meaning you can define any directory as sinkhole. the move_policy sinkhole tells splunk to load the file destructively. there is no way to tell splunk to delete files after five days or so.......
but you could setup a montior stanza instead of a batch stanza and use logadm (on *nix) to rotate/delete the files away after 5 days.
further information about monitor/batch stanzas can go to -> click me
kind regards
Hi giovere
you can setup a sinkhole with the batch stanza, meaning you can define any directory as sinkhole. the move_policy sinkhole tells splunk to load the file destructively. there is no way to tell splunk to delete files after five days or so.......
but you could setup a montior stanza instead of a batch stanza and use logadm (on *nix) to rotate/delete the files away after 5 days.
further information about monitor/batch stanzas can go to -> click me
kind regards
Awesome! thanks ...
You can set a retirement policy to remove indexed data when it reaches a configurable age. For details, see:
http://docs.splunk.com/Documentation/Splunk/4.2.3/Admin/Setaretirementandarchivingpolicy
you can set various time related settings in indexes.conf http://docs.splunk.com/Documentation/Splunk/4.2.3/admin/Indexesconf I think with some try & error you should be able to achieve this.
thanks a lot! I'll give it a try tomorrow, do you know if I can remove 5 or so days old data+indexes from the Splunk itself and what's the way to do it?