Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

kvstore mongo directory is very large

aecruzp
Path Finder
‎02-18-2019 10:39 AM

Hi.

I have a issue, we migrate Splunk from 6.6.11 to 7.2.3 in both cluster (SH and Indexer), on indexer we aply migration migration-kvstore, but not on the SH nodes.

The mongo (/home/splunk/splunk/var/lib/splunk/kvstore/mongo) directory have 350 GB ocuppied of the hard disk, and We are critical.
On the log file say (many lines):
2019-02-18T15:17:11.083Z I STORAGE [initandlisten] Found drop-pending namespace s_monitoDjADiK3LuYveVmB44TZEiI13_OBJ_GExkG7i403ybeNVt3NN3M3U4J4.system.drop
i2713t-1.c with drop optime { ts: Timestamp(1549620824, 2713), t: -1 }
2019-02-18T15:17:11.083Z I STORAGE [initandlisten] Found drop-pending namespace s_monitoDjADiK3LuYveVmB44TZEiI13_OBJ_GExkG7i403ybeNVt3NN3M3U4J4.system.drop

An the directory living this files (and many more):
-rw-------. 1 root root 536608768 feb 17 19:33 s_monitoDjADiK3LuYveVmB44TZEiI13_DATA_GI8XK1TVzglQkuXOSwiJtOFXl.636
-rw-------. 1 root root 536608768 feb 17 20:03 s_monitoDjADiK3LuYveVmB44TZEiI13_DATA_GI8XK1TVzglQkuXOSwiJtOFXl.637
-rw-------. 1 root root 536608768 feb 17 20:33 s_monitoDjADiK3LuYveVmB44TZEiI13_DATA_GI8XK1TVzglQkuXOSwiJtOFXl.638

its possible delete with linux command?

0 Karma
Reply

agneticdk
Path Finder
‎03-25-2019 12:38 AM

Hi

Just saw this for 7.2.5, fixed issues in release notes:

2019-03-07 SPL-167347, SPL-165968 Frequent searches with outputlookup may trigger highly increased KV Store storage usage or in some cases crash of the mongod process

André

0 Karma
Reply

aecruzp
Path Finder
‎02-18-2019 10:40 AM

-rw-------. 1 root root 536608768 feb 17 07:12 s_monitoDjADiK3LuYveVmB44TZEiI13_OBJ_GExkG7i403ybeNVt3NN3M3U4J4.29
-rw-------. 1 root root 536608768 feb 17 07:13 s_monitoDjADiK3LuYveVmB44TZEiI13_OBJ_GExkG7i403ybeNVt3NN3M3U4J4.27
-rw-------. 1 root root 536608768 feb 17 07:13 s_monitoDjADiK3LuYveVmB44TZEiI13_OBJ_GExkG7i403ybeNVt3NN3M3U4J4.31
-rw-------. 1 root root 536608768 feb 17 07:13 s_monitoDjADiK3LuYveVmB44TZEiI13_OBJ_GExkG7i403ybeNVt3NN3M3U4J4.30

0 Karma
Reply

agneticdk
Path Finder
‎03-25-2019 12:36 AM

We also see this. Exact same size. Same splunk version (7.2.3)

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...