Getting Data In

Question regarding .tsidx and journal.gz file

sunnyparmar
Communicator

Hi,

I have Splunk installed on Linux and my /data directory is going to full very soon and on further findings what i have found is that .tsidx and journal.gz files are taking lots of space in directory so is there any harm if i will delete these files or is there any other way to get rid of these files.

Thanks in advance

Tags (2)
0 Karma
1 Solution

renjith_nair
Legend

journal is your compressed raw data and tsidx are your index files. In other terms, these constitute your splunk data. It's not advisable to delete these files manually but adjust your frozenTimePeriodInSecs and maxTotalDataSizeMB in indexes.conf to delete old data from splunk.

Details about data retention is here : http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Setaretirementandarchivingpolicy

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair
Legend

journal is your compressed raw data and tsidx are your index files. In other terms, these constitute your splunk data. It's not advisable to delete these files manually but adjust your frozenTimePeriodInSecs and maxTotalDataSizeMB in indexes.conf to delete old data from splunk.

Details about data retention is here : http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Setaretirementandarchivingpolicy

---
What goes around comes around. If it helps, hit it with Karma 🙂

sunnyparmar
Communicator

thanks.. got it..

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...