Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Too many tsidx files

rxdeleon
Explorer
‎04-25-2012 07:34 AM

I keep on getting the following message. Which "disk space" is this message referring to? The /var/splunk filesystem currently has 20 GB of free space.

"applying indexing throttle for /var/splunk/mck-app-log/db because bucket has too many tsidx files, is your splunk-optimize working? splunk-optimize may be prevented from running if the minimum disk space usage limit is reached."

0 Karma
Reply

saramamurthy_sp
Splunk Employee
Splunk Employee
‎06-27-2019 11:52 PM

Kindly, check for which specific indexes and for which bucket directories it is giving the error.

Generally, whenever an index generates too many small tsidx files(more than 25) Splunk is not able to optimize all those files within the specified time period.

Kindly, run the below command against the specific directory to optimize it manually:-

splunk-optimize -d|--directory

Or you can make the below changes in Indexes.conf to fix the issue:-

indexes.conf
[default]
maxConcurrentOptimizes=25
maxRunningProcessGroups=12
processTrackerServiceInterval=0

Please go through the below documentation to have a better understanding of Splunk Optimization.
http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Optimizeindexes

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎04-25-2012 11:16 AM

This can happen if you are indexing a lot of data at once. If you look in the above directory, how many *.tsidx files do you see?

In rare cases where you don't have much CPU and/or disk IOPS, splunk-optimize.exe might take a long time to run and it could fall behind. If you use top on linux or task manager on Windows, do you see that any splunk-optimize or splunk-optimize.exe processes have been running for more than a minute or two?

Reply

araitz
Splunk Employee
Splunk Employee
‎04-26-2012 02:20 PM

Sorry for not asking specfically before, but how many tsidx files per bucket (e.g. db_* or 'hot_*`)? A few up to a few dozen per bucket is fine. 300 per bucket is not. If it is the latter, what are the specs of your system (OS, filesystem, CPU, Memory, Disk) and how much data are you indexing per day (approximately)?

0 Karma
Reply

rxdeleon
Explorer
‎04-26-2012 12:33 PM

I see almost 300 *.tsidx files but I don't see splunk-optimize running. Is there a log file where splunk-optimize writes to?

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...