Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

index size

dall
Path Finder
‎12-22-2020 08:27 PM

in my stand alone environment 

indexes.conf:

maxDataSize=100mb

maxTotalDataSizemb=200000

but in ui one of index current size is 40gb max size is 500gb

as i understood that maxdata size =100mb means when hot bucket ll reach 100mb that ll pass to anaotherbucket

and maxtotaldatasizemb=200000=200gb(hot+warm+cold)

than current size of 40gb means that data ll b in hot bucket or what ?

please clarify this one

 

Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-23-2020 01:16 AM

Hi @dall,

when you configure an index in UI you have to declare the app containing the indexes.conf and few informations (paths, maxdatasize and few other thing).

using UI you don't setup retention etc...

You can setup these options later, modifying indexes.conf files.

For more infos see at https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Indexesconf

I hint to follow the admin certification path to learn about this.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-22-2020 11:22 PM

Hi @dall,

your configuration means that:

  • you have 100 MB of hot buckets (as you said) that continously roll to warm because it's a very small dimension,
  • warm and cold buckets have a size of 40 GB (minus 20 hot) and can grow to 200 GB.
  • the size of warm buckets depends on the number of warm buckets, because when you have 300 warm buckets, Splunk starts to roll to cold.
  • Also for this reason it's better to have e greater dimension for buckets.

Anyway, these values are set for each index, so if you have an index with a diferent configuration (500 max data size) probably it's differently set.

you can see the indexes configuration in two ways:

  • using btool you can see all the indexes active configurations, so you can find the configuuration of the different index: $SPLUNK_HOME/bin/splunk cmd btool indexs list --debug > indexes.txt;
  • using [Settings -- Indexes ] you can find which is the app where an index is configurated;

so you can intervene to change configurations.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

dall
Path Finder
‎12-23-2020 01:07 AM

when created index in ui gave homepath,coldpath,thawedpath 

not configured in indexes.conf for that particular index 

not given any retention period ,maxdatasize and all

can i set now for that index and others also

is there any issue i ll face if i ll add in indexes.conf

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-23-2020 01:16 AM

Hi @dall,

when you configure an index in UI you have to declare the app containing the indexes.conf and few informations (paths, maxdatasize and few other thing).

using UI you don't setup retention etc...

You can setup these options later, modifying indexes.conf files.

For more infos see at https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Indexesconf

I hint to follow the admin certification path to learn about this.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-23-2020 01:20 AM

Hi @dall,

good for you.

Ciao and happy splunking.

Giuseppe.

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

dall
Path Finder
‎12-23-2020 01:17 AM

thank u so much @gcusello 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...