Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to control splunk logs splunkd_stderr.log & splunkd-utility.log filling up disk space

anantdeshpande
Path Finder
‎10-19-2016 05:14 AM

Hi,
I have installed Splunk having very limited space. I am able to manage other logs my modifying /etc/log.cfg file.
However, do not find any parameter to rotate/control splunkd_stderr.log & splunkd-utility.log.

Do we have any separate parameter/file to manage these Splunk logs?

Tags (1)
0 Karma
Reply

ddrillic
Ultra Champion
‎10-19-2016 06:17 AM

For this specific index you can allocate (a lot) less than the 1/2 terabyte assigned, by default, for each index.

To begin with, you can run the following to know how much each index consumes - 

| rest /services/data/indexes 
| eval perc=(currentDBSizeMB * 100 / maxTotalDataSizeMB ) 
| table title currentDBSizeMB maxTotalDataSizeMB perc
Reply

bpitts2
Path Finder
‎10-19-2016 06:19 AM

I downvoted this post because this is a completely irrelevant answer.

0 Karma
Reply

ddrillic
Ultra Champion
‎10-19-2016 06:27 AM

Oh oh - really sorry ; -) but truly it's really relevant.

0 Karma
Reply

lukejadamec
Super Champion
‎10-19-2016 06:30 AM

I agree. What is the point of decreasing the size of the log files if they are all indexed with a max size of 1/2 TB anyway?

0 Karma
Reply

bpitts2
Path Finder
‎10-19-2016 06:00 AM

Hello,

As you mentioned most logs can be controlled from /etc/log.cfg, however there are some logs such as splunkd_stderr.log that are effectively "hard coded" and cannot be changed. However, it was suggested that you could use a symbolic link to move the files to your preferred location.

Reference:
https://answers.splunk.com/answers/9879/possible-to-move-splunks-log-folder-splunk-home-var-log-splu...

Best Regards,
BPitts2

0 Karma
Reply

anantdeshpande
Path Finder
‎10-19-2016 06:15 AM

Thank you,
As last solution will write script or create symbolic link.

0 Karma
Reply

anantdeshpande
Path Finder
‎10-19-2016 06:18 AM

Looks like we can manage splunkd-utility.log by changing parameter in log-utility.cfg.
Any how its 5 MB and will limit to 1 rotation than 5.

appender.A1.fileName=${SPLUNK_HOME}/var/log/splunk/splunkd-utility.log

appender.A1.maxFileSize=5000000 # default: 5MB (specified in bytes).

appender.A1.maxBackupIndex=5

Reply

bpitts2
Path Finder
‎10-19-2016 06:20 AM

Good to know, thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...