Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why real-time alerts can lead to insufficient disk space on a device and cause splunkweb to not start?

Michael
Contributor
‎09-10-2014 05:44 AM

Sharing a lesson learned...
Splunk 6.1.3 (but I think would apply to most) on RHEL 6.

I came in one morning to being unable to log into Splunk, and the web interface producing an error indicating that the drive was full. Upon checking the space, there was plenty, over 30 gigs. I have had it stop indexing once when it reached the 2 gig mark, as designed, but never saw this -- that did not prevent the web interface from working.

Reply
1 Solution
Solved! Jump to solution
Solution

Michael
Contributor
‎09-10-2014 07:00 AM

hmm, forgot to "answer" this so it would be closed. Tks Rich,

Cheers!

Long story short, I had the previous day created an alert to fire off in "real time". Be very careful with these! Overnight, the alert fired off, but I had set the criteria up wrong, so it fired off over 10,000 times. The space that was filled up were the inodes. This can be checked with 'ls -i'. The place that fills up is in ../splunk/var/run/splunk/dispatch/ -- I removed all the alerts in this directory and went happily about my business -- oh, and removing that offending alert.

View solution in original post

Reply
Solved! Jump to solution
Solution

Michael
Contributor
‎09-10-2014 07:00 AM

hmm, forgot to "answer" this so it would be closed. Tks Rich,

Cheers!

Long story short, I had the previous day created an alert to fire off in "real time". Be very careful with these! Overnight, the alert fired off, but I had set the criteria up wrong, so it fired off over 10,000 times. The space that was filled up were the inodes. This can be checked with 'ls -i'. The place that fills up is in ../splunk/var/run/splunk/dispatch/ -- I removed all the alerts in this directory and went happily about my business -- oh, and removing that offending alert.

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎09-11-2014 04:40 PM

realtime/alltime alert searches are like a loaded gun, handle with care.

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎09-10-2014 10:52 AM

Hi @Michael

I just moved your content around to the appropriate spaces and also accepted the answer for you so this post will get more hits. Thanks for sharing this 🙂 very helpful.

Patrick

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-10-2014 06:20 AM

Thanks for sharing, Michael. For the benefit of users searching for similar problems in future, answer this question and accept the answer. That will mark this as a solution.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
Top