Good Morning Everyone!
I am trying to see what components are in my Splunk environment. I just inherited a system with splunk on it and as far as I know I am on a management server and i am accessing a splunk web client which i presume is the search head.... (that's one component down...i think).
I understand Splunk enterprise needs a forwarder...and an indexer and a search head to function correctly...but without knowing what components i have inherited i am not really sure that it is working.
also I have done some initial research on an message i received upon barely logging in... "The minimum free disk space (5000MB) reached for /opt/splunk/var/run/splunk/dispatch on an indexer..
^A)my research has shown me that its possible splunk is forwarding to itself.
B) i can remedy the error by editing the .conf file responsible for setting the min. quota
c) assess the storage available and allocate more space to said directory.
knowing the above options ...what do you think is best in my scenario? again i am super new to this enviornment
Splunk instance can be configured as standalone deployment or as part of the clustered component. Standalone deployment basically inherits all of the components into a single instance where you can index incoming data and search them while acting as License Master and monitoring console. There is a possibility that your particular instance might be either standalone or part of indexer because normally other Splunk components are less likely to get alerts on free space. I probably begin by checking your host's disk utilization and check $SPLUNK_HOME/etc/system/local/server.conf to get any hint of this deployment. If you have [clustering] stanza defined inside your server.conf file, high chance that there may be other Splunk components residing in your environment.
You can also use Splunk cmd btool to check configuration which should help you find out the topology of the deployment.
This https://docs.splunk.com/Documentation/Splunk/8.1.1/InheritedDeployment/Introduction is a good starting point for new admins with new installation. Following it gives you a easy way to figure out what you have in your environment.
Your 2nd question. This means that you have run out of disk space on indexer and you need to get more space or update your retention to get more space.
a) splunk allways store it's internal logs to it's internal indexes (_<something>)
b) it will come back after some time and finally when you have run out of disk space your environment didn't work anymore.
c) Add more space for splunk and/or check retentions.