Solved: Question regarding .tsidx and journal.gz file

sunnyparmar · ‎01-17-2016

Hi,

I have Splunk installed on Linux and my /data directory is going to full very soon and on further findings what i have found is that .tsidx and journal.gz files are taking lots of space in directory so is there any harm if i will delete these files or is there any other way to get rid of these files.

Thanks in advance

renjith_nair · ‎01-17-2016

journal is your compressed raw data and tsidx are your index files. In other terms, these constitute your splunk data. It's not advisable to delete these files manually but adjust your frozenTimePeriodInSecs and maxTotalDataSizeMB in indexes.conf to delete old data from splunk.

Details about data retention is here : http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Setaretirementandarchivingpolicy

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎01-17-2016

journal is your compressed raw data and tsidx are your index files. In other terms, these constitute your splunk data. It's not advisable to delete these files manually but adjust your frozenTimePeriodInSecs and maxTotalDataSizeMB in indexes.conf to delete old data from splunk.

Details about data retention is here : http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Setaretirementandarchivingpolicy

---
What goes around comes around. If it helps, hit it with Karma 🙂

sunnyparmar · ‎01-17-2016

thanks.. got it..

Question regarding .tsidx and journal.gz file

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?