Hi All,
Deleting the bucket being the only way out to reclaim space, I have some queries on buckets.
All I have is "defaultdb" and "metaventdb" in my splunk which has .tsidx files and raw data.
Buckets with these file naming conventions "db_newesttime_oldesttime" are called bucket files?
Can I do a clean based on the .tsidx timestamp as well? or I need to delete the defaultdb/metaeventdb entirely as below ?
/data/third_party/splunk/bin/splunk clean eventdata -index main
Also the index names as mentioned in the document are "main", "_internal" and "_audit".
Is *.tsidx also the index?
How to identify a index directory?
If you can give an example of a bucket name, I could search for similar stuff in my splunk as well.
Thanks in advance.
Note: I'm using splunk version 3.4.14.2 as of now.
Version 3.4? There comes a time in all our lives when the only real answer is migrate to a supported version.
For instance, I was going to say in your indexes.conf set "maxTotalDataSizeMB" to some reasonable value on that index. But I don't think that's even valid on this version. More importantly, I can't even check if it's valid because the documentation available online only goes back to version 4.3. Version 4.3 was released in 2012.
I am sorry I can't even give you a proper upgrade path, because a direct upgrade doesn't exist.
What I could say is that it likely will pay you back many times over if you stand up a new box with Splunk 6.5+ and migrate the data coming in to it. Rebuild whatever it's doing onto a platform that's more current, is supported, has documentation available and is in active use by folks.
Give that a try, see how much better and easier is it. If you have problems at some point, we'll be able to help, then!
Version 3.4? There comes a time in all our lives when the only real answer is migrate to a supported version.
For instance, I was going to say in your indexes.conf set "maxTotalDataSizeMB" to some reasonable value on that index. But I don't think that's even valid on this version. More importantly, I can't even check if it's valid because the documentation available online only goes back to version 4.3. Version 4.3 was released in 2012.
I am sorry I can't even give you a proper upgrade path, because a direct upgrade doesn't exist.
What I could say is that it likely will pay you back many times over if you stand up a new box with Splunk 6.5+ and migrate the data coming in to it. Rebuild whatever it's doing onto a platform that's more current, is supported, has documentation available and is in active use by folks.
Give that a try, see how much better and easier is it. If you have problems at some point, we'll be able to help, then!