Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

_internal large amounts of data incoming

zubairaizatron
Explorer
‎09-03-2020 02:17 AM

i have an average of 100 events coming into the splunk _internal index per minute on a instance that is not very busy and is being used by 2 people. I reduced the bucket size to allow the data to roll over sooner to avoid a disk space error. are there any configurations that im missing that could slow down the incoming events.

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-03-2020 02:31 AM

Hi @zubairaizatron,

all the events arrive from an inputs.conf configuration file, so you could reduce some logs to ingest, but I don't hint this.

All the Splunk logs could be useful to debug problems; eventually you could reduce the retention of _internal logs that are the most relevant.

By default it has 30 days retention, you could reduce it to 15 or 10 modifying indexes.conf in $SPLUNK_HOME/etc/system/local; if there isn't copy it from default folder and modify.

Anyway, _internal logs don't consume license.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-03-2020 02:31 AM

Hi @zubairaizatron,

all the events arrive from an inputs.conf configuration file, so you could reduce some logs to ingest, but I don't hint this.

All the Splunk logs could be useful to debug problems; eventually you could reduce the retention of _internal logs that are the most relevant.

By default it has 30 days retention, you could reduce it to 15 or 10 modifying indexes.conf in $SPLUNK_HOME/etc/system/local; if there isn't copy it from default folder and modify.

Anyway, _internal logs don't consume license.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-07-2020 01:01 AM

Hi @zubairaizatron,

good for you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...