Re: Splunk is using the wrong disk for some reason...

sbenamro · ‎02-13-2016

I have 2 drives - C and D on the indexer.
I've defined the D drive for the indexing.
yet Splunk Folder is using 19GB - I've noticed that the biggest folder is C:\Program Files\Splunk\var\run\searchpeers
which uses 13GB.

what am I missing here ?

oh and this indexer is the licenser as well.

martin_mueller · ‎02-13-2016

$SPLUNK_HOME/var/run/searchpeers stores bundles from your search heads used by the indexer to run searches for them with the appropriate configurations. Indexing happens elsewhere, by default in $SPLUNK_HOME/var/lib/splunk - see if that's fairly small compared to what you've defined on your second drive to confirm that the index path setting is working.

As for your searchpeers folder using 13GB, this can have several reasons:
- is your bundle huge, e.g. massive lookup files?
- do you have many search heads, each distributing different bundles? Consider merging the search heads into a search head cluster, reducing the number of different bundles on your indexers.
- are there old bundles from legacy search heads? These can be deleted.

Splunk is using the wrong disk for some reason - why ?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation