https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110146#M7917 <P>I do not understand what this is telling me:<BR /> splunk_server VALUE_audit VALUE_internal summary_forwarders summary_hosts summary_indexers summary_pools summary_sources summary_sourcetypes<BR /> splunk-search04 20752 / 500000MB (4%) 5947 / 500000MB (1%) 1316 / 500000MB (0%) 1326 / 500000MB (0%) 129 / 500000MB (0%) 19 / 500000MB (0%) 7551 / 500000MB (2%) 377 / 500000MB (0%)</P> Mon, 28 Sep 2020 15:38:38 GMT woodcock 2020-09-28T15:38:38Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110137#M7908 <P>I have 2 search heads that are very similar but one has some extra apps installed (such as SoS). The one with more apps is continuously out of disk space and I just found out why. On the search head that is fine, /opt/splunk/var/lib/splunk has 531M used but on the loaded one, it has 35G!!! What is taking up all the space? Many directory pairs like this <APPNAME> and <APPNAME>.dat. Inside each <APPNAME> directory are 3 directories: "colddb", "db", and "thaweddb". The "db" directories are where all the space is consumed. What is creating these and how can I rein it in?</APPNAME></APPNAME></APPNAME></P> Sat, 11 Jan 2014 05:43:45 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110137#M7908 woodcock 2014-01-11T05:43:45Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110138#M7909 <P>These are Splunk's indexes. The directory names in var/lib/splunk usually correspond to the index names, so if you want to see what all that data is, just search the corresponding index name in Splunk on your search head.</P> Sat, 11 Jan 2014 14:42:24 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110138#M7909 Ayn 2014-01-11T14:42:24Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110139#M7910 <P>To add to Ayn's comment, you can run this search on your search head:</P> <P><CODE><BR /> | rest /services/data/indexes splunk_server=local<BR /> | search totalEventCount!=0<BR /> | eval cell=tostring(currentDBSizeMB) + " / " + tostring(maxTotalDataSizeMB) + "MB (" + tostring(round(currentDBSizeMB * 100 / maxTotalDataSizeMB)) + "%)"<BR /> | chart first(cell) over splunk_server by title<BR /> </CODE></P> Mon, 28 Sep 2020 15:38:08 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110139#M7910 sowings 2020-09-28T15:38:08Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110140#M7911 <P>Given it's a search head, my bet is on summary indexes and/or tsidx files for apps like bluecoat or palo alto..</P> Sat, 11 Jan 2014 17:56:28 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110140#M7911 dwaddle 2014-01-11T17:56:28Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110141#M7912 <P>We are not running any summary indices but we do have some apps that may have setup some, which was my theory (and why I mentioned SoS app). Is there a way to map these files to the app that created them?</P> Sun, 12 Jan 2014 19:57:31 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110141#M7912 woodcock 2014-01-12T19:57:31Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110142#M7913 <P>The above search would show <EM>summary index</EM> usage local to the search head. If you're using report acceleration, you might try <CODE>| rest /services/admin/summarization splunk_server=local</CODE>, and pay attention to summary.size. Some apps (like bluecoat or Palo Alto) may call "tscollect" directly to create tsidx name spaces. These are a bit harder to track down (as in, I don't yet have a search for identifying that space). There may also be summary space in use by accelerated data models, but that space would be on the indexers and <EM>not</EM> on the search head.</P> Mon, 13 Jan 2014 13:27:29 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110142#M7913 sowings 2014-01-13T13:27:29Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110143#M7914 <P>And you might consider the Fire Brigade app, appropriate to your Splunk version. In particular the "Indexer Host Overview" page could help explain what's going on with that search head.</P> Mon, 13 Jan 2014 13:28:27 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110143#M7914 sowings 2014-01-13T13:28:27Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110144#M7915 <P>I do not understand what this is telling me:<BR /> splunk_server VALUE_audit VALUE_internal summary_forwarders summary_hosts summary_indexers summary_pools summary_sources summary_sourcetypes<BR /> splunk-search04 20752 / 500000MB (4%) 5947 / 500000MB (1%) 1316 / 500000MB (0%) 1326 / 500000MB (0%) 129 / 500000MB (0%) 19 / 500000MB (0%) 7551 / 500000MB (2%) 377 / 500000MB (0%)</P> Mon, 28 Sep 2020 15:38:33 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110144#M7915 woodcock 2020-09-28T15:38:33Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110145#M7916 <P>I do not understand what this is telling me:<BR /> splunk_server VALUE_audit VALUE_internal summary_forwarders summary_hosts summary_indexers summary_pools summary_sources summary_sourcetypes<BR /> splunk-search04 20752 / 500000MB (4%) 5947 / 500000MB (1%) 1316 / 500000MB (0%) 1326 / 500000MB (0%) 129 / 500000MB (0%) 19 / 500000MB (0%) 7551 / 500000MB (2%) 377 / 500000MB (0%)</P> Mon, 28 Sep 2020 15:38:36 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110145#M7916 woodcock 2020-09-28T15:38:36Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110146#M7917 <P>I do not understand what this is telling me:<BR /> splunk_server VALUE_audit VALUE_internal summary_forwarders summary_hosts summary_indexers summary_pools summary_sources summary_sourcetypes<BR /> splunk-search04 20752 / 500000MB (4%) 5947 / 500000MB (1%) 1316 / 500000MB (0%) 1326 / 500000MB (0%) 129 / 500000MB (0%) 19 / 500000MB (0%) 7551 / 500000MB (2%) 377 / 500000MB (0%)</P> Mon, 28 Sep 2020 15:38:38 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110146#M7917 woodcock 2020-09-28T15:38:38Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110147#M7918 <P>what does the datamode_summary contain. <BR /> how can we move data from one path to another in an indexer cluster. </P> Wed, 06 Dec 2017 21:45:06 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Search-head-out-of-disk-space-because-SPLUNK-HOME-var-lib-splunk/m-p/110147#M7918 nawazns5038 2017-12-06T21:45:06Z