Can summary indexes, aka stash files, be stored somewhere other than $SPLUNK_HOME/var/spool/splunk/_.stash? Specifically, can the $SPLUNK_HOME part be changed?
Disk space is the issue. I have a DEV box, version 4.1.1, where the file system that $SPLUNK_HOME resides is 3 GB. My normal indexes are stored on a different file system. I'd like to put the stash files there.
Filesystem size used avail capacity Mounted on /opt/apps/splunk 3.0G 2.6G 426M 87% /opt/apps/splunk /opt/apps/splunk-index01 20G 1.4G 19G 8% /opt/apps/splunk-index01
I've read http://answers.splunk.com/questions/2973/change-output-location-of-splunk-diag and that answer was to submit a feature request. Is that the same answer here or has Splunk changed since then?
I see stash mentioned in /opt/apps/splunk/etc/system/default/searchbnf.conf, but it doesn't appear the whole path can be changed unless I pull some trick like:
Will that work? Seems like a security risk if it does work.
It appears I can make the stash files more temporary by reducing the number of default days in a /opt/apps/splunk/etc/system/local/props.conf to something like 30 days.
[stash] TRUNCATE = 0 MAX_DAYS_HENCE=2 MAX_DAYS_AGO=10000 MAX_DIFF_SECS_AGO=3600 MAX_DIFF_SECS_HENCE=604800 LEARN_MODEL = false REPORT-1 = stash_extract
I'll stop asking questions now. Thanks for any answers and suggestions.
The stash files for summary indexes are dropped into /var/spool/splunk and removed as soon as they're added to the summary index (which is configured in indexes.conf). If the stash files persist in the spool directory (or anywhere else) , that's a bug that you should consult Splunk Support for.
haven't had the chance to call support, but will call this one answered. If I find out more, I'll update this thread.
I also had an issue where the stash files were eating away all our disk space. Turns out, we were monitoring the SPLUNK_HOME\var\spool\splunk directory which somehow prevented the stash files from being deleted.
Monitoring that folder will result in stash files being retained, this has been run into more than once.