Solved: Re: _internal large amounts of data incoming

zubairaizatron · ‎09-03-2020

i have an average of 100 events coming into the splunk _internal index per minute on a instance that is not very busy and is being used by 2 people. I reduced the bucket size to allow the data to roll over sooner to avoid a disk space error. are there any configurations that im missing that could slow down the incoming events.

gcusello · ‎09-03-2020

Hi @zubairaizatron,

all the events arrive from an inputs.conf configuration file, so you could reduce some logs to ingest, but I don't hint this.

All the Splunk logs could be useful to debug problems; eventually you could reduce the retention of _internal logs that are the most relevant.

By default it has 30 days retention, you could reduce it to 15 or 10 modifying indexes.conf in $SPLUNK_HOME/etc/system/local; if there isn't copy it from default folder and modify.

Anyway, _internal logs don't consume license.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎09-03-2020

Hi @zubairaizatron,

all the events arrive from an inputs.conf configuration file, so you could reduce some logs to ingest, but I don't hint this.

All the Splunk logs could be useful to debug problems; eventually you could reduce the retention of _internal logs that are the most relevant.

By default it has 30 days retention, you could reduce it to 15 or 10 modifying indexes.conf in $SPLUNK_HOME/etc/system/local; if there isn't copy it from default folder and modify.

Anyway, _internal logs don't consume license.

Ciao.

Giuseppe

gcusello · ‎09-07-2020

Hi @zubairaizatron,

good for you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

_internal large amounts of data incoming

index

indexer

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!