Deployment Architecture

Why would my audit index grow to over 300g suddenly?


Why would my audit index grow to over 300g suddenly?
This happened on the SH. The _audit index normally sits at about 80 mb. So to get an alert that I was nearly out of storage for Splunkhome was a surprise.
For immediate impact I altered the size of the index to 500m, let the storage clearup, and reset the storage to allow up to 10g.

0 Karma

Path Finder

Unless there is a misconfigured input feeding the audit index, the easiest answer is that there seem to be a large amount of changes in your environment. The DIY solution would be to search the audit index to identify what changes are occurring. These could be a script making changes to the Splunk files on disk, or a large/excess amount of activity. Here's a list of all of the activities that would cause an entry in the audit index:

0 Karma


Well, with the data already gone, it might be difficult to determine the cause.
However - if it still grows fast now, you could simply take a look at what kind of messages appear very frequently, e.g. using the Pattern tab.
This would most likely give you an idea why this has happened.
Also - is this a personal instance, or a corporate one? Production, dev or test? Available from the internet, or LAN only?

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!