Knowledge Management

Configurable Location for Summary Index Possible?

I_am_Jeff
Communicator

Can summary indexes, aka stash files, be stored somewhere other than $SPLUNK_HOME/var/spool/splunk/_.stash? Specifically, can the $SPLUNK_HOME part be changed?

Disk space is the issue. I have a DEV box, version 4.1.1, where the file system that $SPLUNK_HOME resides is 3 GB. My normal indexes are stored on a different file system. I'd like to put the stash files there.

Filesystem             size   used  avail capacity  Mounted on  
/opt/apps/splunk       3.0G   2.6G   426M    87%    /opt/apps/splunk  
/opt/apps/splunk-index01    20G   1.4G    19G     8%    /opt/apps/splunk-index01  

I've read http://answers.splunk.com/questions/2973/change-output-location-of-splunk-diag and that answer was to submit a feature request. Is that the same answer here or has Splunk changed since then?

I see stash mentioned in /opt/apps/splunk/etc/system/default/searchbnf.conf, but it doesn't appear the whole path can be changed unless I pull some trick like:

file=../../../../../../../opt/apps/splunk-index/stash  

Will that work? Seems like a security risk if it does work.

It appears I can make the stash files more temporary by reducing the number of default days in a /opt/apps/splunk/etc/system/local/props.conf to something like 30 days.

[stash]
TRUNCATE = 0
MAX_DAYS_HENCE=2
MAX_DAYS_AGO=10000
MAX_DIFF_SECS_AGO=3600
MAX_DIFF_SECS_HENCE=604800
LEARN_MODEL = false
REPORT-1 = stash_extract

I'll stop asking questions now. Thanks for any answers and suggestions.

1 Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee

The stash files for summary indexes are dropped into /var/spool/splunk and removed as soon as they're added to the summary index (which is configured in indexes.conf). If the stash files persist in the spool directory (or anywhere else) , that's a bug that you should consult Splunk Support for.

View solution in original post

I-Man
Communicator

I also had an issue where the stash files were eating away all our disk space. Turns out, we were monitoring the SPLUNK_HOME\var\spool\splunk directory which somehow prevented the stash files from being deleted.

jbsplunk
Splunk Employee
Splunk Employee

Monitoring that folder will result in stash files being retained, this has been run into more than once.

Stephen_Sorkin
Splunk Employee
Splunk Employee

The stash files for summary indexes are dropped into /var/spool/splunk and removed as soon as they're added to the summary index (which is configured in indexes.conf). If the stash files persist in the spool directory (or anywhere else) , that's a bug that you should consult Splunk Support for.

I_am_Jeff
Communicator

haven't had the chance to call support, but will call this one answered. If I find out more, I'll update this thread.

0 Karma

I_am_Jeff
Communicator

Thanks! I'll check that.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...