Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Where in Splunk are my log files indexed?

rajendran
New Member
‎06-28-2016 02:35 AM

I am using Splunk 6.0. I configured a log file to be automatically indexed in Splunk by editing inputs.conf. I am able to view the indexed values in Splunk Web, but I want to know the location of where the log file got indexed, because if any data got indexed incorrectly, I want to remove the log file from the location. While doing it manually via DataInputs, I was able to view the log file in DataInputs > Files&Directories. It is easy to remove the data by deleting from there, but I need to do the same during the log file indexing automatically. Please help me to find out this

0 Karma
Reply

splunk_force_as
Path Finder
‎06-28-2016 09:50 AM

So there are few different things to consider:

  1. In terms of where the data gets indexed, by default $SPLUNK_HOME/var/log/splunk directory. See https://answers.splunk.com/answers/418636/where-do-logs-go-when-uploaded-via-splunk-webs-add.html#an...

  2. In terms of deleting the data: for the most part, it isn't recommended that you manually delete indexed data (buckets) because that could cause issues depending on your deployment setup. Splunk employs a retention policy where data is deleted by age (or size). The default is ~ 6 years, but this number is configurable on global and/or index basis. This will need to be configured in the indexes.conf, see : http://docs.splunk.com/Documentation/Splunk/6.0.3/Indexer/Setaretirementandarchivingpolicy. If you have the need to delete data, I recommend that you let the data retire, and re-index the data properly ( consider disk space and licensing.)

  3. What index are you sending your data to? If it's a new index and the data is fairly recent, you could clean the index but keep in mind that ALL data in that index will be deleted. See: http://docs.splunk.com/Documentation/Splunk/6.4.1/Indexer/RemovedatafromSplunk

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...