Can summary indexes, aka stash files, be stored somewhere other than $SPLUNK_HOME/var/spool/splunk/_.stash? Specifically, can the $SPLUNK_HOME part be changed?
Disk space is the issue. I have a DEV box, version 4.1.1, where the file system that $SPLUNK_HOME resides is 3 GB. My normal indexes are stored on a different file system. I'd like to put the stash files there.
Filesystem size used avail capacity Mounted on
/opt/apps/splunk 3.0G 2.6G 426M 87% /opt/apps/splunk
/opt/apps/splunk-index01 20G 1.4G 19G 8% /opt/apps/splunk-index01
I've read http://answers.splunk.com/questions/2973/change-output-location-of-splunk-diag and that answer was to submit a feature request. Is that the same answer here or has Splunk changed since then?
I see stash mentioned in /opt/apps/splunk/etc/system/default/searchbnf.conf, but it doesn't appear the whole path can be changed unless I pull some trick like:
file=../../../../../../../opt/apps/splunk-index/stash
Will that work? Seems like a security risk if it does work.
It appears I can make the stash files more temporary by reducing the number of default days in a /opt/apps/splunk/etc/system/local/props.conf to something like 30 days.
[stash]
TRUNCATE = 0
MAX_DAYS_HENCE=2
MAX_DAYS_AGO=10000
MAX_DIFF_SECS_AGO=3600
MAX_DIFF_SECS_HENCE=604800
LEARN_MODEL = false
REPORT-1 = stash_extract
I'll stop asking questions now. Thanks for any answers and suggestions.
The stash files for summary indexes are dropped into /var/spool/splunk and removed as soon as they're added to the summary index (which is configured in indexes.conf). If the stash files persist in the spool directory (or anywhere else) , that's a bug that you should consult Splunk Support for.
I also had an issue where the stash files were eating away all our disk space. Turns out, we were monitoring the SPLUNK_HOME\var\spool\splunk directory which somehow prevented the stash files from being deleted.
Monitoring that folder will result in stash files being retained, this has been run into more than once.
The stash files for summary indexes are dropped into /var/spool/splunk and removed as soon as they're added to the summary index (which is configured in indexes.conf). If the stash files persist in the spool directory (or anywhere else) , that's a bug that you should consult Splunk Support for.
haven't had the chance to call support, but will call this one answered. If I find out more, I'll update this thread.
Thanks! I'll check that.