Solved: Question regarding .tsidx and journal.gz file

sunnyparmar · ‎01-17-2016

Hi,

I have Splunk installed on Linux and my /data directory is going to full very soon and on further findings what i have found is that .tsidx and journal.gz files are taking lots of space in directory so is there any harm if i will delete these files or is there any other way to get rid of these files.

Thanks in advance

renjith_nair · ‎01-17-2016

journal is your compressed raw data and tsidx are your index files. In other terms, these constitute your splunk data. It's not advisable to delete these files manually but adjust your frozenTimePeriodInSecs and maxTotalDataSizeMB in indexes.conf to delete old data from splunk.

Details about data retention is here : http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Setaretirementandarchivingpolicy

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎01-17-2016

journal is your compressed raw data and tsidx are your index files. In other terms, these constitute your splunk data. It's not advisable to delete these files manually but adjust your frozenTimePeriodInSecs and maxTotalDataSizeMB in indexes.conf to delete old data from splunk.

Details about data retention is here : http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Setaretirementandarchivingpolicy

---
What goes around comes around. If it helps, hit it with Karma 🙂

sunnyparmar · ‎01-17-2016

thanks.. got it..

Question regarding .tsidx and journal.gz file

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)