Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

kvstore mongo directory is very large

aecruzp
Path Finder
‎02-18-2019 10:39 AM

Hi.

I have a issue, we migrate Splunk from 6.6.11 to 7.2.3 in both cluster (SH and Indexer), on indexer we aply migration migration-kvstore, but not on the SH nodes.

The mongo (/home/splunk/splunk/var/lib/splunk/kvstore/mongo) directory have 350 GB ocuppied of the hard disk, and We are critical.
On the log file say (many lines):
2019-02-18T15:17:11.083Z I STORAGE [initandlisten] Found drop-pending namespace s_monitoDjADiK3LuYveVmB44TZEiI13_OBJ_GExkG7i403ybeNVt3NN3M3U4J4.system.drop
i2713t-1.c with drop optime { ts: Timestamp(1549620824, 2713), t: -1 }
2019-02-18T15:17:11.083Z I STORAGE [initandlisten] Found drop-pending namespace s_monitoDjADiK3LuYveVmB44TZEiI13_OBJ_GExkG7i403ybeNVt3NN3M3U4J4.system.drop

An the directory living this files (and many more):
-rw-------. 1 root root 536608768 feb 17 19:33 s_monitoDjADiK3LuYveVmB44TZEiI13_DATA_GI8XK1TVzglQkuXOSwiJtOFXl.636
-rw-------. 1 root root 536608768 feb 17 20:03 s_monitoDjADiK3LuYveVmB44TZEiI13_DATA_GI8XK1TVzglQkuXOSwiJtOFXl.637
-rw-------. 1 root root 536608768 feb 17 20:33 s_monitoDjADiK3LuYveVmB44TZEiI13_DATA_GI8XK1TVzglQkuXOSwiJtOFXl.638

its possible delete with linux command?

0 Karma
Reply

agneticdk
Path Finder
‎03-25-2019 12:38 AM

Hi

Just saw this for 7.2.5, fixed issues in release notes:

2019-03-07 SPL-167347, SPL-165968 Frequent searches with outputlookup may trigger highly increased KV Store storage usage or in some cases crash of the mongod process

André

0 Karma
Reply

aecruzp
Path Finder
‎02-18-2019 10:40 AM

-rw-------. 1 root root 536608768 feb 17 07:12 s_monitoDjADiK3LuYveVmB44TZEiI13_OBJ_GExkG7i403ybeNVt3NN3M3U4J4.29
-rw-------. 1 root root 536608768 feb 17 07:13 s_monitoDjADiK3LuYveVmB44TZEiI13_OBJ_GExkG7i403ybeNVt3NN3M3U4J4.27
-rw-------. 1 root root 536608768 feb 17 07:13 s_monitoDjADiK3LuYveVmB44TZEiI13_OBJ_GExkG7i403ybeNVt3NN3M3U4J4.31
-rw-------. 1 root root 536608768 feb 17 07:13 s_monitoDjADiK3LuYveVmB44TZEiI13_OBJ_GExkG7i403ybeNVt3NN3M3U4J4.30

0 Karma
Reply

agneticdk
Path Finder
‎03-25-2019 12:36 AM

We also see this. Exact same size. Same splunk version (7.2.3)

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...