Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

can anyone suggest cleanup the splunk mount point. i see /opt/splunk is almost full. please give some suggestion .

shivanandbm
Explorer
‎06-07-2018 11:21 PM

can anyone suggest cleanup the splunk mount point. i see /opt/splunk is almost full. please give some suggestion . which are the path we can clean up.

Tags (1)
0 Karma
Reply

adonio
Ultra Champion
‎06-09-2018 06:15 AM

hello there,

will suggest to leverage indexes.conf settings to make sure you never need to clean up your mount point.
for example, if you are setting up volumes and configuring the total size of volume/s to be lets say 80% of the size of the mount you will never need to clean up again. oh yeah, it will actually also force the older buckets to roll out due to size restrictions and therefore will clean up the mount as you implement the settings
use these settings to achieve:

maxVolumeDataSizeMB = <positive integer>
* Optional, ignored for storageType=remote
* If set, this attribute limits the total size of all databases that reside
  on this volume to the maximum size specified, in MB.  Note that this it
  will act only on those indexes which reference this volume, not on the
  total size of the path set in the path attribute of this volume.
* If the size is exceeded, Splunk will remove buckets with the oldest value
  of latest time (for a given bucket) across all indexes in the volume,
  until the volume is below the maximum size.  This is the trim operation.
  Note that this can cause buckets to be chilled [moved to cold] directly
  from a hot DB, if those buckets happen to have the least value of
  latest-time (LT) across all indexes in the volume.
* Highest legal value is 4294967295, lowest legal value is 1.

read here more:
https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Indexesconf

0 Karma
Reply

raghu0463
Explorer
‎06-08-2018 01:01 PM

If you want you can delete some data from the var folder from cold buckets.

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...