Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do we clear out some indexed data in our indexer cluster?

kiran331
Builder
‎05-17-2016 10:23 AM

Hi all,

We have 3 indexers in an indexer cluster environment. We're running out of space on 2 indexers and utilization is 90% of 600GB for each server.

indexes.conf 

[cisco_asa]
homePath   = /u01/cisco_esa/db
coldPath   = /u01/cisco_esa/colddb
thawedPath = $SPLUNK_DB/cisco_esa/thaweddb
repFactor = auto
coldToFrozenDir = /u02/cisco_esa/frozen
# 100 days to frozen
frozenTimePeriodInSecs = 8640000
# 50 days to roll to cold
maxHotSpanSecs = 4320000
summaryHomePath = /u01/cisco_esa/dm_summary

This is the same thing for all indexes, so what is the best option to clear out some space and how can I delete some data from the above index for reducing some space?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

masonmorales
Influencer
‎05-17-2016 12:50 PM

You can configure the maxTotalDataSizeMB = N under each index stanza in your indexes.conf and make sure that the sum of N does not exceed your available disk capacity. Restart Splunk after configuring it, and Splunk will start to freeze your oldest data.

There is a delete command, but it is a soft delete only (to make the data unsearchable) and does not reclaim disk space.

View solution in original post

Reply
Solved! Jump to solution
Solution

masonmorales
Influencer
‎05-17-2016 12:50 PM

You can configure the maxTotalDataSizeMB = N under each index stanza in your indexes.conf and make sure that the sum of N does not exceed your available disk capacity. Restart Splunk after configuring it, and Splunk will start to freeze your oldest data.

There is a delete command, but it is a soft delete only (to make the data unsearchable) and does not reclaim disk space.

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...