Getting Data In

How to clean stash_new files from the spool directory

OldManEd
Builder

All, my /opt/splunk/var/spool/splunk directory has 83,000 plus "*.stash_new" files in it and I would like to clear them out. I have seen references to this issue but no real solutions. If anyone has figured out how to accomplish this, can you please pass along the procedure?

I've noticed that the files go back to March of last year. Does anyone know the implications of simply deleting these real old files?

Thanks in advance.

UPDATE: I was troubleshooting another issue on this splunk instance that required a splunk restart. After the restart I noticed in the splunkd.log file that splunk was going through all 83,000 files trying to reread them, and failing. I understand that rereading the stash_new files in the spool directory at start up is normal splunk processing. Now I understand why I did not notice any current missing data.

So I'm back to the consequences of simply deleting the old stash_new files. Does anyone have experience with that?

Tags (2)
1 Solution

yannK
Splunk Employee
Splunk Employee

They are the files created for the summary indexing, and should have been deleted once indexed.

Look like you encountered the error described here :http://answers.splunk.com/answers/70072/summary-indexing-blocked-and-binary-file-warning

please upgrade to 5.0.3 or more recent, and verify that no new files get stuck in the folder (they should stay there only a few minutes)

About the old files, they are old summary reports.

View solution in original post

yannK
Splunk Employee
Splunk Employee

They are the files created for the summary indexing, and should have been deleted once indexed.

Look like you encountered the error described here :http://answers.splunk.com/answers/70072/summary-indexing-blocked-and-binary-file-warning

please upgrade to 5.0.3 or more recent, and verify that no new files get stuck in the folder (they should stay there only a few minutes)

About the old files, they are old summary reports.

OldManEd
Builder

Yannj,
Thanks for the update. We just ran an upgrade to 5.0.5 on Saturday, 5 days ago. And the last file was from 02/15, when we updated. I just wanted to make sure that if I delete the old files something else won't blow up.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...