Is there a way to have Splunk delete the data from a syslog-ng server after it indexes it? Would like to confirm that data is indexed before it gets deleted.
Hey ckillg,
You could also set log rotation in syslog-ng to delete logs after a few days.
good luck.
Hi ckillg,
if you're looking at inputs.conf
http://docs.splunk.com/Documentation/Splunk/6.3.0/admin/Inputsconf there is the batch
mode which will delete a file after it has been indexed by Splunk....but it has no confirmation method.
Hope this helps ...
cheers, MuS