Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I limit the disk size of a Splunk instance to 300 GB within config files?

natalienguyen
Explorer
‎10-10-2017 04:39 PM

I'm looking to set up a stand-alone test Splunk instance and want to limit the disk size of the instance to 300GB.

Is this possible to do within the config files? Or do I need to install it on a separate partition that has 300GB and just let it run?

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-10-2017 11:05 PM

http://docs.splunk.com/Documentation/Splunk/7.0.0/Indexer/Setaretirementandarchivingpolicy

Freeze data when an index grows too large: Set maxTotalDataSizeMB
You can use the size of an index to determine when data gets frozen and removed from the index. If an index grows larger than its maximum specified size, the oldest data is rolled to the frozen state.

The default maximum size for an index is 500,000MB. To change the maximum size, edit the maxTotalDataSizeMB attribute in indexes.conf. For example, to specify the maximum size as 250,000MB:

[main]
maxTotalDataSizeMB = 250000

Specify the size in megabytes.

Restart the indexer for the new setting to take effect. Depending on how much data there is to process, it can take some time for the indexer to begin to move buckets out of the index to conform to the new policy. You might see high CPU usage during this time.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

anthonymelita
Contributor
‎10-11-2017 03:37 PM

Actually not setting the index size smaller than total disk space might inadvertently do what you want. If you set the max size on the index it will roll out the oldest events when the limit is reached. If you run out of disk space it will cause a system alarm and stop indexing. Example: "skipped indexing of internal audit events will keep dropping events until indexer congestion is remedied. Check space and other issues that may caused indexer to block"
Of course this is a symptom, not a solution to your request.

0 Karma
Reply

natalienguyen
Explorer
‎10-11-2017 03:29 PM

Thanks but this is for an index, I would like the whole instance not to exceed 300GB.

For instance, I could have 10 indexes, but once the total space of them reaches 300GB, then Splunk will stop indexing.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...