Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can splunk delete remote event logs?

asmercer2004
Explorer
‎10-11-2010 06:04 PM

I am using splunk to pull the event log data off several machines on a domain and archive them on a single server. Is there a way that I have splunk automatically delete/truncate remote event logs from the remote machines after I archive them?

Tags (2)
0 Karma
Reply

cervelli
Splunk Employee
Splunk Employee
‎10-13-2010 08:02 PM

Why not just configure the event logs to roll? That's the default state and MSFT best practice.

Splunk doesn't do destructive reads, and I'm not sure that even powershell will let you. A cursory examination suggests this is not something MSFT wants to allow, for obvious audit-ability reasons.

Apologies if that's a non-answer.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-12-2010 05:50 AM

Not really, or not by default. Splunk does not, by deliberate intention, delete anything on the source machine (other than logs placed specifically in the batch monitor directory).

In principle, you can write a script to be run by the Splunk forwarder to do anything you want, so it can be done. However, any such script you write will not be integrated with the Splunk file or WinEventLog monitoring systems.

Reply

Genti
Splunk Employee
Splunk Employee
‎10-11-2010 06:25 PM

Your question, and environment is a bit unclear. The data is coming from forwarders into the single splunk server (indexer)? If this is the case, then there is no data being "indexed" on the other machines, and hence nothing to delete.
It almost sounds like you would like the original raw data to be deleted? If that is the case splunk does not touch that data at all, in the sense, it only monitors the logs but never changes them or manipulates them.

Hence there is no way to use splunk to delete raw data from your disk.
If i have misunderstood your question you might want to edit it and be a bit more specific..

0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎10-11-2010 08:16 PM

then i think the best bet would be to 1. install forwarders on all your servers and set them to monitor your logs and send the events to the splunk indexer and 2. set up some saved search that runs every-so-often and alerts you about how many events you have. If you want you could also have a script that runs and perhaps calls to the remote hosts to delete the data. However, you might want to be careful with this as if you delete the logs and for some reason they did not make it into splunk, then you will have data loss..

0 Karma
Reply

asmercer2004
Explorer
‎10-11-2010 06:28 PM

No I think you understood it fairly well. I am trying to pull the raw event logs from a number of remote machines. The audit logs are set to a small max size (not changeable, at least by me) and as a result are usually full. We want to pull them off of each machine and store them on a single server then delete them.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...