Solved: _internal large amounts of data incoming

zubairaizatron · ‎09-03-2020

i have an average of 100 events coming into the splunk _internal index per minute on a instance that is not very busy and is being used by 2 people. I reduced the bucket size to allow the data to roll over sooner to avoid a disk space error. are there any configurations that im missing that could slow down the incoming events.

gcusello · ‎09-03-2020

Hi @zubairaizatron,

all the events arrive from an inputs.conf configuration file, so you could reduce some logs to ingest, but I don't hint this.

All the Splunk logs could be useful to debug problems; eventually you could reduce the retention of _internal logs that are the most relevant.

By default it has 30 days retention, you could reduce it to 15 or 10 modifying indexes.conf in $SPLUNK_HOME/etc/system/local; if there isn't copy it from default folder and modify.

Anyway, _internal logs don't consume license.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎09-03-2020

Hi @zubairaizatron,

all the events arrive from an inputs.conf configuration file, so you could reduce some logs to ingest, but I don't hint this.

All the Splunk logs could be useful to debug problems; eventually you could reduce the retention of _internal logs that are the most relevant.

By default it has 30 days retention, you could reduce it to 15 or 10 modifying indexes.conf in $SPLUNK_HOME/etc/system/local; if there isn't copy it from default folder and modify.

Anyway, _internal logs don't consume license.

Ciao.

Giuseppe

gcusello · ‎09-07-2020

Hi @zubairaizatron,

good for you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

_internal large amounts of data incoming

index

indexer

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor