Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Where in Splunk are my log files indexed?

rajendran
New Member
‎06-28-2016 02:35 AM

I am using Splunk 6.0. I configured a log file to be automatically indexed in Splunk by editing inputs.conf. I am able to view the indexed values in Splunk Web, but I want to know the location of where the log file got indexed, because if any data got indexed incorrectly, I want to remove the log file from the location. While doing it manually via DataInputs, I was able to view the log file in DataInputs > Files&Directories. It is easy to remove the data by deleting from there, but I need to do the same during the log file indexing automatically. Please help me to find out this

0 Karma
Reply

splunk_force_as
Path Finder
‎06-28-2016 09:50 AM

So there are few different things to consider:

  1. In terms of where the data gets indexed, by default $SPLUNK_HOME/var/log/splunk directory. See https://answers.splunk.com/answers/418636/where-do-logs-go-when-uploaded-via-splunk-webs-add.html#an...

  2. In terms of deleting the data: for the most part, it isn't recommended that you manually delete indexed data (buckets) because that could cause issues depending on your deployment setup. Splunk employs a retention policy where data is deleted by age (or size). The default is ~ 6 years, but this number is configurable on global and/or index basis. This will need to be configured in the indexes.conf, see : http://docs.splunk.com/Documentation/Splunk/6.0.3/Indexer/Setaretirementandarchivingpolicy. If you have the need to delete data, I recommend that you let the data retire, and re-index the data properly ( consider disk space and licensing.)

  3. What index are you sending your data to? If it's a new index and the data is fairly recent, you could clean the index but keep in mind that ALL data in that index will be deleted. See: http://docs.splunk.com/Documentation/Splunk/6.4.1/Indexer/RemovedatafromSplunk

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...