- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to change the index size of _audit index on a cluster?
agentguerry
Path Finder
08-30-2019
11:20 AM
I have a cluster set up with 1 index master, and 2 index peers.
I would like to change the size of the _audit index from 500G to 400G.
How can I go about changing these? On my index master, in the inputs.conf file that gets pushed out, there is no _audit index since these are created from splunk setup. I cannot go to each peer and change them manually, b/c the peers are part of a cluster.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
08-30-2019
11:39 AM
On both indexers, you would need to create a stanza.
go to $SPLUNK_HOME/etc/system/local/indexes.conf
and create
[_audit]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
agentguerry
Path Finder
08-30-2019
11:43 AM
would doing that clobber the existing data/index that is on the peer servers?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
08-30-2019
11:46 AM
no it won't
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
08-30-2019
11:49 AM
also have a look at this :
https://answers.splunk.com/answers/26834/audit-and-internal-index-data-retention.html
