Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Indexing stopped due to low disk space for one source

msarro
Builder
‎06-06-2012 11:11 AM

Hey everyone. I have several sources being spread over 4 indexers.
I periodically receive error messages stating that space is low on /splunk/hot/{some source name}, specifically "Search peer server-chi-a2.sys.mycompany.net has the following message: You are low in disk space on partition "/splunk/hot/AS-CDR". Indexing has been paused. Will resume when free disk space rises above 2000MB." It shows up for around 10 minutes, and then disappears.

Here is my indexes.conf file's contents:

[XS]
disabled=false
homePath=volume:HOT/XS-CDR
coldPath=volume:COLD/XS-CDR
thawedPath=/splunk/thawed/XS-CDR
maxDataSize=auto

[AS]
disabled=false
homePath=volume:HOT/AS-CDR
coldPath=volume:COLD/AS-CDR
thawedPath=/splunk/thawed/AS-CDR
maxDataSize=auto

[PBTS]
disabled=false
homePath=volume:HOT/PBTS
coldPath=volume:COLD/PBTS
thawedPath=/splunk/thawed/PBTS
maxDataSize=auto_high_volume

[CMS]
disabled=false
homePath=volume:HOT/CMS
coldPath=volume:COLD/CMS
thawedPath=/splunk/thawed/CMS
maxDataSize=auto_high_volume

[MSP]
disabled=false
homePath=volume:HOT/MSP
coldPath=volume:COLD/MSP
thawedPath=/splunk/thawed/MSP
maxDataSize=auto

[KPI]
disabled=false
homePath=volume:HOT/KPI
coldPath=volume:COLD/KPI
thawedPath=/splunk/thawed/KPI
maxDataSize=auto

[LICENSING]
disabled=false
homePath=volume:HOT/LICENSING
coldPath=volume:COLD/LICENSING
thawedPath=/splunk/thawed/LICENSING
maxDataSize=auto

[CER]
disabled=false
homePath=volume:HOT/CER
coldPath=volume:COLD/CER
thawedPath=/splunk/thawed/CER
maxDataSize=auto_high_volume

[volume:HOT]
path=/splunk/hot
maxVolumeDataSizeMB=140000

[volume:COLD]
path=/splunk/cold
maxVolumeDataSizeMB=840000

The /splunk/hot LUN is 150 GB, and the /splunk/cold LUN is ~850GB (both housed on a SAN). I used volume sizing for the configuration as I did because I don't truly know how much space each individual source will use as the devices are incredibly bursty, and this should let splunk control it for me. I also purposely left the volume sizes around 10GB lower than the LUN size. If splunk is listening to its config files, I should never see a <2000MB free error, since at all times I should have at least 10GB free on each LUN. Has anyone else seen this? Is there something wrong with my config that I'm missing? I'd appreciate the help. Thanks!

Tags (2)
Reply

mad4wknds
Path Finder
‎03-02-2014 05:57 PM

I have only seen this where the indexer is also configured as a deployment server.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...