Hi,
I have installed Splunk having very limited space. I am able to manage other logs my modifying /etc/log.cfg file.
However, do not find any parameter to rotate/control splunkd_stderr.log & splunkd-utility.log.
Do we have any separate parameter/file to manage these Splunk logs?
For this specific index you can allocate (a lot) less than the 1/2 terabyte assigned, by default, for each index.
To begin with, you can run the following to know how much each index consumes -
| rest /services/data/indexes
| eval perc=(currentDBSizeMB * 100 / maxTotalDataSizeMB )
| table title currentDBSizeMB maxTotalDataSizeMB perc
I downvoted this post because this is a completely irrelevant answer.
Oh oh - really sorry ; -) but truly it's really relevant.
I agree. What is the point of decreasing the size of the log files if they are all indexed with a max size of 1/2 TB anyway?
Hello,
As you mentioned most logs can be controlled from /etc/log.cfg, however there are some logs such as splunkd_stderr.log that are effectively "hard coded" and cannot be changed. However, it was suggested that you could use a symbolic link to move the files to your preferred location.
Best Regards,
BPitts2
Thank you,
As last solution will write script or create symbolic link.
Looks like we can manage splunkd-utility.log by changing parameter in log-utility.cfg.
Any how its 5 MB and will limit to 1 rotation than 5.
appender.A1.fileName=${SPLUNK_HOME}/var/log/splunk/splunkd-utility.log
appender.A1.maxFileSize=5000000 # default: 5MB (specified in bytes).
appender.A1.maxBackupIndex=5
Good to know, thanks!