Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Indexing stopped due to low disk space for one source

msarro
Builder
‎06-06-2012 11:11 AM

Hey everyone. I have several sources being spread over 4 indexers.
I periodically receive error messages stating that space is low on /splunk/hot/{some source name}, specifically "Search peer server-chi-a2.sys.mycompany.net has the following message: You are low in disk space on partition "/splunk/hot/AS-CDR". Indexing has been paused. Will resume when free disk space rises above 2000MB." It shows up for around 10 minutes, and then disappears.

Here is my indexes.conf file's contents:

[XS]
disabled=false
homePath=volume:HOT/XS-CDR
coldPath=volume:COLD/XS-CDR
thawedPath=/splunk/thawed/XS-CDR
maxDataSize=auto

[AS]
disabled=false
homePath=volume:HOT/AS-CDR
coldPath=volume:COLD/AS-CDR
thawedPath=/splunk/thawed/AS-CDR
maxDataSize=auto

[PBTS]
disabled=false
homePath=volume:HOT/PBTS
coldPath=volume:COLD/PBTS
thawedPath=/splunk/thawed/PBTS
maxDataSize=auto_high_volume

[CMS]
disabled=false
homePath=volume:HOT/CMS
coldPath=volume:COLD/CMS
thawedPath=/splunk/thawed/CMS
maxDataSize=auto_high_volume

[MSP]
disabled=false
homePath=volume:HOT/MSP
coldPath=volume:COLD/MSP
thawedPath=/splunk/thawed/MSP
maxDataSize=auto

[KPI]
disabled=false
homePath=volume:HOT/KPI
coldPath=volume:COLD/KPI
thawedPath=/splunk/thawed/KPI
maxDataSize=auto

[LICENSING]
disabled=false
homePath=volume:HOT/LICENSING
coldPath=volume:COLD/LICENSING
thawedPath=/splunk/thawed/LICENSING
maxDataSize=auto

[CER]
disabled=false
homePath=volume:HOT/CER
coldPath=volume:COLD/CER
thawedPath=/splunk/thawed/CER
maxDataSize=auto_high_volume

[volume:HOT]
path=/splunk/hot
maxVolumeDataSizeMB=140000

[volume:COLD]
path=/splunk/cold
maxVolumeDataSizeMB=840000

The /splunk/hot LUN is 150 GB, and the /splunk/cold LUN is ~850GB (both housed on a SAN). I used volume sizing for the configuration as I did because I don't truly know how much space each individual source will use as the devices are incredibly bursty, and this should let splunk control it for me. I also purposely left the volume sizes around 10GB lower than the LUN size. If splunk is listening to its config files, I should never see a <2000MB free error, since at all times I should have at least 10GB free on each LUN. Has anyone else seen this? Is there something wrong with my config that I'm missing? I'd appreciate the help. Thanks!

Tags (2)
Reply

mad4wknds
Path Finder
‎03-02-2014 05:57 PM

I have only seen this where the indexer is also configured as a deployment server.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...