Hi all,
We have 3 indexers in an indexer cluster environment. We're running out of space on 2 indexers and utilization is 90% of 600GB for each server.
indexes.conf
[cisco_asa]
homePath = /u01/cisco_esa/db
coldPath = /u01/cisco_esa/colddb
thawedPath = $SPLUNK_DB/cisco_esa/thaweddb
repFactor = auto
coldToFrozenDir = /u02/cisco_esa/frozen
# 100 days to frozen
frozenTimePeriodInSecs = 8640000
# 50 days to roll to cold
maxHotSpanSecs = 4320000
summaryHomePath = /u01/cisco_esa/dm_summary
This is the same thing for all indexes, so what is the best option to clear out some space and how can I delete some data from the above index for reducing some space?
You can configure the maxTotalDataSizeMB = N
under each index stanza in your indexes.conf and make sure that the sum of N does not exceed your available disk capacity. Restart Splunk after configuring it, and Splunk will start to freeze your oldest data.
There is a delete
command, but it is a soft delete only (to make the data unsearchable) and does not reclaim disk space.
You can configure the maxTotalDataSizeMB = N
under each index stanza in your indexes.conf and make sure that the sum of N does not exceed your available disk capacity. Restart Splunk after configuring it, and Splunk will start to freeze your oldest data.
There is a delete
command, but it is a soft delete only (to make the data unsearchable) and does not reclaim disk space.