Re: disk filling with spool dbmon dbmonevt files

bgstein · ‎11-06-2013

Among other struggles with DB Connect I'm trying to pull a large amount of historical data into Splunk to see it is possible to migrate a mysql database into Splunk and running into issues with files in dbmon filling the system drive. This is with Splunk (free) running on Windows 2008 R2.

Is it possible to move the dbmon spool via a change to the configuration file? Is there a way to cleanly delete *.dbmonevt files?

Thanks

araitz · ‎11-07-2013

Many times, this happens because the files have the same checksum for their header and footer. I think you will see events in index=_internal from the fishbucket related to the files in question indicating that they are being skipped because Splunk has already seen them.

ShaneNewman · ‎11-06-2013

I have never moved the spool to a new location, not to say it is not possible. As far as deleting the events, just shut down splunk, then delete the files from the directory. Make sure you disable the input from dbx that is filling up your drive before restarting splunk.

bgstein · ‎11-07-2013

Thanks, that allows me to continue.

It is a shame that you can't manage the size of the spool directory as you can the indexes.

disk filling with spool dbmon dbmonevt files

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation