Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does my Splunk indexer keep running out of space with my current indexes.conf?

gozulin
Communicator
‎02-24-2016 01:04 PM

The indexer pauses indexing when free space goes under 5GB on the main partition. This is caused by too many warm buckets filling up space instead of being moved to cold buckets on the larger, spinning-disk volume.

I have a 3.2TB volume for hot/warm data on SSD and a 12TB volume for cold data on spinning disk. This is my indexes.conf. What am I doing wrong? 

#general
maxWarmDBCount = 300 
homePath.maxDataSizeMB = 3200000
coldPath.maxDataSizeMB = 12000000

#Volumes
[volume:caliente]
path = /splunkdata
maxVolumeDataSizeMB = 3200000

[volume:frio]
path = /cold
maxVolumeDataSizeMB = 12000000

# indexes
[_audit]
thawedPath = $SPLUNK_DB/audit/thaweddb
tstatsHomePath = volume:_splunk_summaries/audit/datamodel_summary
homePath = volume:caliente/splunk_indexes/audit/db
coldPath = volume:frio/_audit

[shenanigans]
thawedPath = $SPLUNK_DB/shenanigans/thaweddb
tstatsHomePath = volume:_splunk_summaries/shenanigans/datamodel_summary
maxConcurrentOptimizes = 6
maxHotIdleSecs = 86400
maxDataSize = auto_high_volume
homePath = volume:caliente/splunk_indexes/shenanigans/db
coldPath = volume:frio/shenanigans
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-25-2016 08:14 AM

Check out the maxHotSpanSecs attribute. The default value of 90 days may be too high for your environment.
Also, have a look at maxWarmDBCount.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-25-2016 08:14 AM

Check out the maxHotSpanSecs attribute. The default value of 90 days may be too high for your environment.
Also, have a look at maxWarmDBCount.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

gozulin
Communicator
‎02-25-2016 09:39 AM

Problem solved thanks to Yasaswy and Rich.

Reducing the maxWarmDBCount was the solution.

0 Karma
Reply
Solved! Jump to solution

gozulin
Communicator
‎02-25-2016 09:37 AM

maxWarmDBCount is very effective. Thanks! Dialing it down to 50 should do the trick. Thanks.

I don't understand how maxHotSpanSecs would help, I have 8 indexes and the fastest-growing ones roll over at around 6GB. Could you explain?

0 Karma
Reply
Solved! Jump to solution

Yasaswy
Contributor
‎02-25-2016 08:40 AM

Hi, Some observations... you have maxWarmDBCount = 300 and also have maxDataSize = auto_high_volume. On a 64bit system it would mean each bucket might take upto 10 GB and you have set the warm count at 300 (add 10 hot buckets as well).

It looks like, depending on the activity, in the worst case scenario the homepath will be almost full 3.2 TB (300 * 10 for your warmbuckets at 10 GB + 10 hot buckets). Why don't you reduce the warm count? Eg... setting the warmcount to 250 would mean 500 GB space left on your homepath ..... as they will start rolling over.

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-25-2016 04:40 AM

What error message or other symptom of a problem do you see?

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

gozulin
Communicator
‎02-25-2016 07:49 AM

The indexer pauses indexing when free space goes under 5GB on the main partition. This is caused by too many warm buckets filling up space instead of being moved to cold buckets on the larger, spinning-disk volume.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...