Can we delete the Splunk internal log files which ...

Kaushikkatta03 · ‎04-14-2016

We have a storage outage in one of our client's Splunk servers. Can we delete the internal logs?

javiergn · ‎04-14-2016

Take a look at this:

https://answers.splunk.com/answers/959/how-can-i-control-the-size-and-number-of-splunks-internal-log...

http://docs.splunk.com/Documentation/Splunk/6.4.0/Troubleshooting/WhatSplunklogsaboutitself

muebel · ‎04-14-2016

Hi kaushikkatta03, you can probably delete any of the rotated logs (those that end with .1 , .2 etc.). If the environment is functioning correctly, you should expect those logs to already be indexed in Splunk, and so will be available there.

If possible, you should tarball the logs up and move them to some other area where you have enough space. With that being said, deleting the rotated logs won't have any impact on the system's performance, and so you should be able to do that.

Please let me know if this answers your question!

ddrillic · ‎04-14-2016

Right.

-rw-------. 1 splnkprd dce 25000131 Apr 13 08:06 metrics.log.2
-rw-------. 1 splnkprd dce 25000228 Apr 13 10:29 audit.log.1
-rw-------. 1 splnkprd dce 25000250 Apr 13 13:40 splunkd_access.log.1
-rw-------. 1 splnkprd dce 25000472 Apr 13 18:10 splunkd_ui_access.log.1
-rw-------. 1 splnkprd dce 25000123 Apr 13 21:15 metrics.log.1

They are probably very safe to delete.

Can we delete the Splunk internal log files which are running in the path /opt/splunk/var/log/splunk?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life