Knowledge Management

Configurable Location for Summary Index Possible?

I_am_Jeff
Communicator

Can summary indexes, aka stash files, be stored somewhere other than $SPLUNK_HOME/var/spool/splunk/_.stash? Specifically, can the $SPLUNK_HOME part be changed?

Disk space is the issue. I have a DEV box, version 4.1.1, where the file system that $SPLUNK_HOME resides is 3 GB. My normal indexes are stored on a different file system. I'd like to put the stash files there.

Filesystem             size   used  avail capacity  Mounted on  
/opt/apps/splunk       3.0G   2.6G   426M    87%    /opt/apps/splunk  
/opt/apps/splunk-index01    20G   1.4G    19G     8%    /opt/apps/splunk-index01  

I've read http://answers.splunk.com/questions/2973/change-output-location-of-splunk-diag and that answer was to submit a feature request. Is that the same answer here or has Splunk changed since then?

I see stash mentioned in /opt/apps/splunk/etc/system/default/searchbnf.conf, but it doesn't appear the whole path can be changed unless I pull some trick like:

file=../../../../../../../opt/apps/splunk-index/stash  

Will that work? Seems like a security risk if it does work.

It appears I can make the stash files more temporary by reducing the number of default days in a /opt/apps/splunk/etc/system/local/props.conf to something like 30 days.

[stash]
TRUNCATE = 0
MAX_DAYS_HENCE=2
MAX_DAYS_AGO=10000
MAX_DIFF_SECS_AGO=3600
MAX_DIFF_SECS_HENCE=604800
LEARN_MODEL = false
REPORT-1 = stash_extract

I'll stop asking questions now. Thanks for any answers and suggestions.

1 Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee

The stash files for summary indexes are dropped into /var/spool/splunk and removed as soon as they're added to the summary index (which is configured in indexes.conf). If the stash files persist in the spool directory (or anywhere else) , that's a bug that you should consult Splunk Support for.

View solution in original post

I-Man
Communicator

I also had an issue where the stash files were eating away all our disk space. Turns out, we were monitoring the SPLUNK_HOME\var\spool\splunk directory which somehow prevented the stash files from being deleted.

jbsplunk
Splunk Employee
Splunk Employee

Monitoring that folder will result in stash files being retained, this has been run into more than once.

Stephen_Sorkin
Splunk Employee
Splunk Employee

The stash files for summary indexes are dropped into /var/spool/splunk and removed as soon as they're added to the summary index (which is configured in indexes.conf). If the stash files persist in the spool directory (or anywhere else) , that's a bug that you should consult Splunk Support for.

I_am_Jeff
Communicator

haven't had the chance to call support, but will call this one answered. If I find out more, I'll update this thread.

0 Karma

I_am_Jeff
Communicator

Thanks! I'll check that.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...