If you work with files that are transferred between Macs and Linux or Windows sooner or later you will be burned or just plain annoyed by the “._” files that MacOSX creates. What are these little devils? They are metadata files the OSX files system places there to support other file systems that may not support this metadata in the file itself. Apple wanted cross platform compatibility so a Mac based program or OSX could share important details (user, creation date, permissions, etc) with another program or a different operating system.
In our case at Splunk they are not relevant and can cause Splunk to complain on startup and in even some cases even fail to start (I had this happen recently). So it is safe to hunt them down and remove them. I spend 99.9% of my time living in terminal sessions on Linux hosts, so below is an example of how you can remove these annoying little files on Linux or MacOSX via terminal.
First we need to find them, and how do we find things in terminal…yes you guessed it the find command.
In this case we want issue the command find, followed by the path, the -name flag for the file names we are searching for, followed by the -type f flag for files.
find PATH -name ‘NAME’ -type -f
Example: find /opt/splunk/etc/apps/eventgen/ -name ‘._*’ -type f
The above example should return results if any files that begin with ._ are present.
/opt/splunk/etc/apps/eventgen/bin/._.gitignore
/opt/splunk/etc/apps/eventgen/bin/._eventgen.bat
/opt/splunk/etc/apps/eventgen/bin/._eventgen.py
/opt/splunk/etc/apps/eventgen/bin/._eventgen_rest_handler.py
/opt/splunk/etc/apps/eventgen/bin/._eventgenprof.py
Now that we have found them, and have confirmed they are only the files we want to remove, we can add the delete flag to our find string.
So we start with the same command string, find, followed by the path, the -name flag for the file names we are searching for, followed by the -type f flag for files, and we add -delete.
find PATH -name ‘NAME’ -type -f -delete
Example: find /opt/splunk/etc/apps/eventgen/ -name ‘._*’ -type f -delete
After we I run the example above I run the find string again minus the -delete flag to confirm they are gone.
Example: find /opt/splunk/etc/apps/eventgen/ -name ‘._*’ -type f
At this point I should see zero results.
cory wallace 