Getting Data In

Indexers running out of space despite config in indexes.conf

alekksi
Communicator

Hi all,

On one of my environments, I ran out of space on the weekend. As it's not my primary production environment, generally I don't want to micro-manage indexes or retention as we do with production. I don't really care how long data is retained for, but I want to retain it for as long as possible before space limits hit.

In this case, if I have the following settings, why will it go 10-15 GB over the hot limit, even following a rolling restart of the indexer cluster?

[volume:hot1]
path = /splunkdata/hot
maxVolumeDataSizeMB = 70000

[volume:cold1]
path = /splunkdata/cold
maxVolumeDataSizeMB = 30000
0 Karma

ddrillic
Ultra Champion

Jeremiah
Motivator

What are the settings you have for your indexes?

0 Karma

alekksi
Communicator

In this case I don't want to manage the settings for my indexers individually. This is a test environment where I want an absolute max size and not to worry about retention for individual indexes, while still keeping as much data as possible.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...