Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Indexers Disk Space

riqbal47010
Path Finder
‎08-31-2019 11:18 PM

all of our indexers server disk space is almost 90% full and one of the indexer server disk is full(100%) so he get stopped.

So the first thing is to determine that why only specific server disk space get full(100%) and others are at 90% .

secondly how can we solve this issue.

Tags (1)
0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎09-01-2019 03:48 AM

Whats is your setup? do you have indexer clustering? Can you post you indexers indexes.conf?

Its always possible to have different percentages of usage since the sources (e.g. forwarders) might not be sending data equally to both indexers. Splunk UFs can do Load balancing, but it usually timebased so there is still a chance that you can get more data in one interval and less on the other. Size based LB is available on more recent versions.

You should be using volume management and better retention policies to avoid having having you indexers to stop due to lack of space.

Check this link:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Indexer/Configureindexstoragesize

------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply

riqbal47010
Path Finder
‎09-01-2019 03:51 AM

thanks for the reply, interestingly after removing excessive buckets I got enough disk space.
we have nine months retention policy after that they moved to Frozen NFS share.

thanks for reply.

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎09-01-2019 04:13 AM

great! if my answers help you please make it as such.
Still be aware that bigger issues might arise if you don't design your infra and storage policies properly since, depending on your cluster search factor and replication factor, if one of your indexers goes down the other will eventually start fixup tasks building the missing buckets and filling up your storage.

------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply

riqbal47010
Path Finder
‎09-11-2019 04:48 AM

hi diogofgm,

we have different indexes.conf for each technology index. Now the two indexers have 96% utilized disk space remaining others are 75 to 80 percent utilized. how can we immediately solve this issue.

Further to that, If i reduce the retention period to 6 months from 9 months. will it fix the disk space issue. primarily we need 6 months data online.

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎09-12-2019 10:32 AM

yes, if you reduce the retention period it will likely fix your disk space issue. but bear in mind that a bucket will only roll/be deleted when all the data it contains hits the retention period. Meaning buckets with several days worth of data will only roll / be deleted when after all the data has passed the retention period.
Also, difference in usage its possible depending on how you're sending data and if you have Splunk LB setup. check this: https://docs.splunk.com/Documentation/Splunk/7.3.1/Forwarding/Setuploadbalancingd

------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...