Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I delete old log data past a certain time on an index?

bayman
Path Finder
‎03-21-2017 11:02 AM

We're running out of disk space.

How do I delete old log data past a certain time on an index?

If I set a max index size, what happens when that limit is reached for an index?

How should I rotate logs so old logs are automatically deleted?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎03-21-2017 11:18 AM

You can delete data directly from the file system or use the clean command

$SPLUNK_HOME/bin/splunk clean eventdata -index <index_name>

Note that the delete command will not delete data from the file system, it will only hide it in Splunk web

http://docs.splunk.com/Documentation/Splunk/6.1.4/Indexer/RemovedatafromSplunk

If you set max index size, then the oldest data that is past that max size will either be deleted or archived if you specified a frozen path when creating your index.

Splunk buckets will roll from hot --> warm --> cold --> frozen.. I believe by default they will roll to frozen every 6 years OR until they reach the max index size

http://docs.splunk.com/Documentation/Splunk/6.5.2/Indexer/HowSplunkstoresindexes

View solution in original post

Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎03-21-2017 11:18 AM

You can delete data directly from the file system or use the clean command

$SPLUNK_HOME/bin/splunk clean eventdata -index <index_name>

Note that the delete command will not delete data from the file system, it will only hide it in Splunk web

http://docs.splunk.com/Documentation/Splunk/6.1.4/Indexer/RemovedatafromSplunk

If you set max index size, then the oldest data that is past that max size will either be deleted or archived if you specified a frozen path when creating your index.

Splunk buckets will roll from hot --> warm --> cold --> frozen.. I believe by default they will roll to frozen every 6 years OR until they reach the max index size

http://docs.splunk.com/Documentation/Splunk/6.5.2/Indexer/HowSplunkstoresindexes

Reply
Solved! Jump to solution

bayman
Path Finder
‎03-21-2017 11:24 AM

/opt/splunk/var/lib/splunk folder size is 200G of data.
I'm assuming I manage this folder size via the Index size limit?

/var/log/splunk folder size is 90G of data
How should I manage this folder size? Is it safe to delete these *.log files in this folder?

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-21-2017 11:30 AM

Yes correct, by default the max index size will be 500GB. Go to Settings>Index and find your index and modify the size limits

I'm assuming var/log/splunk is on a separate server which is being forwarded to Splunk? If so then yeah you can delete those log files as it's already been ingested by Splunk (Check before removing! A better strategy would be to zip them or move to another drive if they are important). As for log rotation, that's more of a sys-admin task rather than a Splunk task. You will either need to grow the drive or roll your logs on a regular basis

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...