All Apps and Add-ons

Splunk app Windows Infrastructure - kvstore disk saturations



I use on my Search Head Cluster (with 80GB of disk space for each SH) the application "Splunk App Windows Infrastructure" that's carrying several kvstores and collections configurations.

Theses KVStore consummed all the disk space. I must disable several scheduled tasks. Mainly all kvstore and lookups updates tasks.

My problem is still here. This app still consummed my disk space and the KVStore doesn't rotate old data.
I won't clean it to prevent losts of valuables datas.

How can I modify / optimize the configuration to stop the high disk consummation ?

Best regards.


The answer is that you likely have both the Exchange and Windows app installed, which is the issue. To me this is something that should be addressed ASAP, it seems like a very serious issue that any Splunk customer that installs both apps gets their disk space blown up (unsure which versions of Splunk this affects):

I ran this per @dwaddle:

|  rest splunk_server=local /services/server/introspection/kvstore/collectionstats 
|  fields data 
|  mvexpand data 
|  rename data as _raw 
|  spath 
|  fields - _raw
|  fields ns size storageSize totalIndexSize

And it showed me that the terminal service trackers are the culprits:

splunk_app_microsoft_exchange.tSessions_collection and splunk_app_windows_infrastructure.tSessions_collection

Per @automine, app savedsearches likely have the same name and are using the same collection. You can disable tSessions_Lookup_Update* savedsearches in the apps, or, like the Documentation link says, just uninstall the Windows Infra app.

This is also the same issue:

Oh also a local clean of the kvstore should clear it out

0 Karma


Hi Nick,

Thanks for your reply.

We solve (I expect permanently) my issue with cleaning all local KVStore.

The cause is somes old lookups files (old from months ago) can't be delete by Splunk.
When I clean a local KVstore, the non replicated old lokkup files are replicate after the cleaning.

I'll check you answer and make sur that all is ok with my apps.
I'll make a return after.

Thank you.

0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...