Knowledge Management

Configurable Location for Summary Index Possible?

Communicator

Can summary indexes, aka stash files, be stored somewhere other than $SPLUNK_HOME/var/spool/splunk/_.stash? Specifically, can the $SPLUNK_HOME part be changed?

Disk space is the issue. I have a DEV box, version 4.1.1, where the file system that $SPLUNK_HOME resides is 3 GB. My normal indexes are stored on a different file system. I'd like to put the stash files there.

Filesystem             size   used  avail capacity  Mounted on  
/opt/apps/splunk       3.0G   2.6G   426M    87%    /opt/apps/splunk  
/opt/apps/splunk-index01    20G   1.4G    19G     8%    /opt/apps/splunk-index01  

I've read http://answers.splunk.com/questions/2973/change-output-location-of-splunk-diag and that answer was to submit a feature request. Is that the same answer here or has Splunk changed since then?

I see stash mentioned in /opt/apps/splunk/etc/system/default/searchbnf.conf, but it doesn't appear the whole path can be changed unless I pull some trick like:

file=../../../../../../../opt/apps/splunk-index/stash  

Will that work? Seems like a security risk if it does work.

It appears I can make the stash files more temporary by reducing the number of default days in a /opt/apps/splunk/etc/system/local/props.conf to something like 30 days.

[stash]
TRUNCATE = 0
MAX_DAYS_HENCE=2
MAX_DAYS_AGO=10000
MAX_DIFF_SECS_AGO=3600
MAX_DIFF_SECS_HENCE=604800
LEARN_MODEL = false
REPORT-1 = stash_extract

I'll stop asking questions now. Thanks for any answers and suggestions.

1 Solution

Splunk Employee
Splunk Employee

The stash files for summary indexes are dropped into /var/spool/splunk and removed as soon as they're added to the summary index (which is configured in indexes.conf). If the stash files persist in the spool directory (or anywhere else) , that's a bug that you should consult Splunk Support for.

View solution in original post

Communicator

I also had an issue where the stash files were eating away all our disk space. Turns out, we were monitoring the SPLUNK_HOME\var\spool\splunk directory which somehow prevented the stash files from being deleted.

Splunk Employee
Splunk Employee

Monitoring that folder will result in stash files being retained, this has been run into more than once.

Splunk Employee
Splunk Employee

The stash files for summary indexes are dropped into /var/spool/splunk and removed as soon as they're added to the summary index (which is configured in indexes.conf). If the stash files persist in the spool directory (or anywhere else) , that's a bug that you should consult Splunk Support for.

View solution in original post

Communicator

haven't had the chance to call support, but will call this one answered. If I find out more, I'll update this thread.

0 Karma

Communicator

Thanks! I'll check that.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!