Knowledge Management
Highlighted

Configurable Location for Summary Index Possible?

Communicator

Can summary indexes, aka stash files, be stored somewhere other than $SPLUNK_HOME/var/spool/splunk/_.stash? Specifically, can the $SPLUNK_HOME part be changed?

Disk space is the issue. I have a DEV box, version 4.1.1, where the file system that $SPLUNK_HOME resides is 3 GB. My normal indexes are stored on a different file system. I'd like to put the stash files there.

Filesystem             size   used  avail capacity  Mounted on  
/opt/apps/splunk       3.0G   2.6G   426M    87%    /opt/apps/splunk  
/opt/apps/splunk-index01    20G   1.4G    19G     8%    /opt/apps/splunk-index01  

I've read http://answers.splunk.com/questions/2973/change-output-location-of-splunk-diag and that answer was to submit a feature request. Is that the same answer here or has Splunk changed since then?

I see stash mentioned in /opt/apps/splunk/etc/system/default/searchbnf.conf, but it doesn't appear the whole path can be changed unless I pull some trick like:

file=../../../../../../../opt/apps/splunk-index/stash  

Will that work? Seems like a security risk if it does work.

It appears I can make the stash files more temporary by reducing the number of default days in a /opt/apps/splunk/etc/system/local/props.conf to something like 30 days.

[stash]
TRUNCATE = 0
MAX_DAYS_HENCE=2
MAX_DAYS_AGO=10000
MAX_DIFF_SECS_AGO=3600
MAX_DIFF_SECS_HENCE=604800
LEARN_MODEL = false
REPORT-1 = stash_extract

I'll stop asking questions now. Thanks for any answers and suggestions.

Highlighted

Re: Configurable Location for Summary Index Possible?

Splunk Employee
Splunk Employee

The stash files for summary indexes are dropped into /var/spool/splunk and removed as soon as they're added to the summary index (which is configured in indexes.conf). If the stash files persist in the spool directory (or anywhere else) , that's a bug that you should consult Splunk Support for.

View solution in original post

Highlighted

Re: Configurable Location for Summary Index Possible?

Communicator

Thanks! I'll check that.

0 Karma
Highlighted

Re: Configurable Location for Summary Index Possible?

Communicator

haven't had the chance to call support, but will call this one answered. If I find out more, I'll update this thread.

0 Karma
Highlighted

Re: Configurable Location for Summary Index Possible?

Communicator

I also had an issue where the stash files were eating away all our disk space. Turns out, we were monitoring the SPLUNK_HOME\var\spool\splunk directory which somehow prevented the stash files from being deleted.

Highlighted

Re: Configurable Location for Summary Index Possible?

Splunk Employee
Splunk Employee

Monitoring that folder will result in stash files being retained, this has been run into more than once.