Hi,
we have a forwarder installed in different VM's and have log files like 2016-11-01 to 2016-11-21 and all them are indexed.
every month's end, i need to clean up logs from date 01 to 15.
how can i achieve this in Splunk? do we need write a custom script and configure cronjob in Splunk machine?
it would be great, if you provide any different thoughts to achieve this.
Hi rajgowd1,
I believe the best Splunk can offer by default is using [batch://] instead of [monitor://] to immediately destroy the original log file after indexing. Based on your requirement, a custom script with cronjob will be the most suitable.
Hi,
thank you.can you please provide steps to implement using [batch://] option.
Hi,
Sure, I've taken this from admin guide:
[batch:///path/to/log/file]
sourcetype = my_sourcetype
index = my_index
recursive = false
move_policy = sinkhole
Remember to add "move_policy = sinkhole".