Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to control splunk logs splunkd_stderr.log & sp...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to control splunk logs splunkd_stderr.log & splunkd-utility.log filling up disk space
Hi,
I have installed Splunk having very limited space. I am able to manage other logs my modifying /etc/log.cfg file.
However, do not find any parameter to rotate/control splunkd_stderr.log & splunkd-utility.log.
Do we have any separate parameter/file to manage these Splunk logs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For this specific index you can allocate (a lot) less than the 1/2 terabyte assigned, by default, for each index.
To begin with, you can run the following to know how much each index consumes -
| rest /services/data/indexes
| eval perc=(currentDBSizeMB * 100 / maxTotalDataSizeMB )
| table title currentDBSizeMB maxTotalDataSizeMB perc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I downvoted this post because this is a completely irrelevant answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh oh - really sorry ; -) but truly it's really relevant.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree. What is the point of decreasing the size of the log files if they are all indexed with a max size of 1/2 TB anyway?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
As you mentioned most logs can be controlled from /etc/log.cfg, however there are some logs such as splunkd_stderr.log that are effectively "hard coded" and cannot be changed. However, it was suggested that you could use a symbolic link to move the files to your preferred location.
Best Regards,
BPitts2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you,
As last solution will write script or create symbolic link.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like we can manage splunkd-utility.log by changing parameter in log-utility.cfg.
Any how its 5 MB and will limit to 1 rotation than 5.
appender.A1.fileName=${SPLUNK_HOME}/var/log/splunk/splunkd-utility.log
appender.A1.maxFileSize=5000000 # default: 5MB (specified in bytes).
appender.A1.maxBackupIndex=5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good to know, thanks!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
