Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

filesystem full - now what?

a212830
Champion
‎04-01-2013 07:23 AM

Hi,

My splunk search-head/indexer filled up the filesystem that it was running on. When I try to login, it give me an error (out of space). I wanted to reduce the size of certain indexers, to clean-up space. How can I do that without the gui? Anything else that I can delete?

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎04-01-2013 09:51 AM

+1 to Martin's answer. Also, since you probably need to recover at least a little disk space for Splunk to restart -
You can examine the contents of the following directories and delete files:

Splunk's own logs: $SPLUNK_HOME/var/log/splunk

Search results for running searches, and saved search results: $SPLUNK_HOME/var/run/splunk/dispatch

Note that removing the saved search results may cause some users to need to re-run old searches; in some environments, this might not be a good idea.

Finally, you might think about setting your maximum index sizes so that the sum of all indexes cannot exceed your disk capacity.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-01-2013 08:50 AM

You can always edit indexes.conf to reduce index sizes, no UI required.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf

Reply

I_am_Jeff
Communicator
‎04-01-2013 09:15 AM

My version in 4.3. I've used maxDataSizeMB option to limit sizes. If you are using different file systems for hot and cold indexes, as I am, homePath.maxDataSizeMB and coldPath.masDataSizeMB operate independently. My experience is it takes Splunk a while to clean house once you set these options and restart.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...