Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are my 3 search heads in a search head clustering environment filling up the directory "/opt/splunk/var/lib/splunk/kvstore/mongo"?

harrymclaren
Explorer
‎07-06-2015 03:34 AM

I'm currently building out a Splunk environment and could do with some help.

The three search heads (clustered) are all filling up the following directory /opt/splunk/var/lib/splunk/kvstore/mongo. I haven’t configured anything to do with kvstore or mongo as far as I know.

Searching via documentation, I can't see why this would be the case.

Help is appreciated.

Reply

harrymclaren
Explorer
‎07-07-2015 06:25 AM

Removed the local. files and the boxes came back up.

Still not sure what is filling up these mongo data files.

Anyone got an idea? They are setup as a Search Head Cluster.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎07-06-2015 05:42 AM

Do you have ES or PCI? Those use KVStore. Check for any collections.conf files in all the directories to see if any kvstores are configured. You may also want to drill down in that folder to see what actually is the cause. There could be a configuration error that is causing the mongodb to spit errors, and that could be filling up the folder.

0 Karma
Reply

harrymclaren
Explorer
‎07-06-2015 05:55 AM

No apps are installed.

Files are:
local.0 (.1, .2 , .ns)

The are no conf files in the directory (/opt/splunk/var/lib/splunk/kvstore/mongo)

That SH now won't start as displays the error:
Operation "fclose" failed in /home/build/build-src/6.2.3/src/libzero/conf-mutator-locking.c:336, conf_mutator_lock(); No space left on device.

What are those 'local.' files used for? I don't even have any data inputs configured yet, only thing that has been done is, standard install, configure connection to license server, configure cluster and configure LDAP for login.

Any help is appreciated, thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...