Getting Data In

What are possible files to clear disk space in Splunk indexer?



In my production environment we allocated disk space around 800GB but still it's not enough. It is eating lot of disk space. Can someone suggest what are the possible files we can clear in Splunk Indexer in Production Environment.

0 Karma


You have the raw data and the tsidx files that make up an index. Those tsidx files utilize quite a bit of storage (size is based on uniqueness of data). So you could always set tsidx reduction based on index which should give you ~30-50% reduction in disk space. But be warned, this will have a significant performance hit and should only be used on data that is rarely searched but must be retained

Ultra Champion

add a cap to indexes size in indexes.conf
leverage the config:

maxTotalDataSizeMB = <nonnegative integer>
* The maximum size of an index (in MB).
* If an index grows larger than the maximum size, the oldest data is frozen.
* This parameter only applies to hot, warm, and cold buckets.  It does not
  apply to thawed buckets.
* Highest legal value is 4294967295
* Defaults to 500000.

read here more:
also read this manual all the way through for capacity planing:
hope it helps

Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...