topic Re: Disk space was full need to delete the data ? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Disk-space-was-full-need-to-delete-the-data/m-p/599028#M104464 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/179309">@naveenyadav99</a>,</P><P>at first, the delete command perform a logical deletion (events are marked as deleted but remain in the index), so you don't have new space in your storage.</P><P>Then the delete command requires that the user has a "can_delete" role.</P><P>Anyway, the problem is that you haven't sufficient space in your disk, so every search is blocked, and you cannot perform a search for deleting events.</P><P>To restart your searches, you can modify the minimun disk space from 5 MB to 2 MB [Settings -- Server Settings -- General Settings], but, as I said, this doesn't resolve your problem, it's only a momentary solution.</P><P>You can physically delete the oldest buckets, modifying the retention of some large index (e.g. _internal), you can do this, modifying indexes.conf on $SPLUNK_HOME/etc/system/local/indexes.conf, adding&nbsp;</P><LI-CODE lang="markup">FrozenTimePeriodInSecs = 864000</LI-CODE><P>and restarting Splunk.</P><P>If you haven't indexes.conf in local folder, as you well know, you have to create it in this folder, don't modify the one in default because at the first upgrade you loose this change.</P><P>This should give you much space on your disk but you'll have Splunk internal data only for 10 days.</P><P>Obviously you loose some information as the license consuption after 10 days.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 24 May 2022 08:52:58 GMT gcusello 2022-05-24T08:52:58Z Disk space was full need to delete the data ? https://community.splunk.com/t5/Getting-Data-In/Disk-space-was-full-need-to-delete-the-data/m-p/599026#M104463 <P>Hello,</P><P>I am facing disk space issue in my Splunk so decided to delete the unwanted data as it is test environment, while running the following command <STRONG>index=malware | delete&nbsp;</STRONG>i am getting the following error.</P><P>&nbsp;</P><P><STRONG>Search not executed: The minimum free disk space (5000MB) reached for /opt/splunk/var/run/splunk/dispatch. user=admin., concurrency_category="historical", concurrency_context="user_instance-wide", current_concurrency=0, concurrency_limit=5000</STRONG></P><P>and also I can see so many errors on my Splunk as follows</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="naveenyadav99_0-1653380950367.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/19791i48C5E2E306CAEBC7/image-size/medium?v=v2&amp;px=400" role="button" title="naveenyadav99_0-1653380950367.png" alt="naveenyadav99_0-1653380950367.png" /></span></P><P>&nbsp;</P><P>Please help me on this to solve the issues.</P> Tue, 24 May 2022 08:34:21 GMT https://community.splunk.com/t5/Getting-Data-In/Disk-space-was-full-need-to-delete-the-data/m-p/599026#M104463 naveenyadav99 2022-05-24T08:34:21Z Re: Disk space was full need to delete the data ? https://community.splunk.com/t5/Getting-Data-In/Disk-space-was-full-need-to-delete-the-data/m-p/599028#M104464 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/179309">@naveenyadav99</a>,</P><P>at first, the delete command perform a logical deletion (events are marked as deleted but remain in the index), so you don't have new space in your storage.</P><P>Then the delete command requires that the user has a "can_delete" role.</P><P>Anyway, the problem is that you haven't sufficient space in your disk, so every search is blocked, and you cannot perform a search for deleting events.</P><P>To restart your searches, you can modify the minimun disk space from 5 MB to 2 MB [Settings -- Server Settings -- General Settings], but, as I said, this doesn't resolve your problem, it's only a momentary solution.</P><P>You can physically delete the oldest buckets, modifying the retention of some large index (e.g. _internal), you can do this, modifying indexes.conf on $SPLUNK_HOME/etc/system/local/indexes.conf, adding&nbsp;</P><LI-CODE lang="markup">FrozenTimePeriodInSecs = 864000</LI-CODE><P>and restarting Splunk.</P><P>If you haven't indexes.conf in local folder, as you well know, you have to create it in this folder, don't modify the one in default because at the first upgrade you loose this change.</P><P>This should give you much space on your disk but you'll have Splunk internal data only for 10 days.</P><P>Obviously you loose some information as the license consuption after 10 days.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 24 May 2022 08:52:58 GMT https://community.splunk.com/t5/Getting-Data-In/Disk-space-was-full-need-to-delete-the-data/m-p/599028#M104464 gcusello 2022-05-24T08:52:58Z