Monitoring Splunk

Disk Space Error

harshavrath
Contributor

Hi

I'm getting this error

You are low in disk space on partition C:\Program Files\Splunk\var\lib\splunk\audit\db. Indexing has been paused. Will resume when free disk space rises above 5000MB.

How can i change the drive as can not increase the space in my C Drive.I have space in my other drives.

Any Suggestions are Appreciated,

Cheers.

Tags (3)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi harshavrath,

well, you have installed Splunk on the C: drive and you're using the C: drive as well for your indexes. Read about the indexes.conf how to change the homePath for your indexes.

To move your existing data to another location proceed like this:

  1. stop Splunk
  2. change the homePath in indexes.conf
  3. move all existing data from old homePath (in your case C:\Program Files\Splunk\var\lib\splunk) to new homePath
  4. start Splunk

hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi harshavrath,

well, you have installed Splunk on the C: drive and you're using the C: drive as well for your indexes. Read about the indexes.conf how to change the homePath for your indexes.

To move your existing data to another location proceed like this:

  1. stop Splunk
  2. change the homePath in indexes.conf
  3. move all existing data from old homePath (in your case C:\Program Files\Splunk\var\lib\splunk) to new homePath
  4. start Splunk

hope this helps ...

cheers, MuS

dmaislin_splunk
Splunk Employee
Splunk Employee
  1. Stop Splunk. Erase all your logs under $SPLUNK_HOME/var/log/splunk
  2. Open Command Line and cd to the $SPLUNK_HOME/bin directory.
  3. Type splunk clean eventdata
  4. Enter your splunk admin / password
  5. Start Splunk

harshavrath
Contributor

Thanks For Your Valuable Info.

0 Karma

MuS
SplunkTrust
SplunkTrust

read this http://docs.splunk.com/Documentation/Splunk/6.0.2/Indexer/RemovedatafromSplunk

but this will have no effect on your disk space problem on the C: drive, because you moved the data in the indexes to another drive

harshavrath
Contributor

How can i clear/delete the indexed data.?

0 Karma

MuS
SplunkTrust
SplunkTrust

sure, but you will hit the same problem again and again as soon as there is some search activity going on, because this is were your search results/artifacts are stored....

harshavrath
Contributor

I can't do that,instead can i change in General Settings for "Pause Indexing" to 500MB

0 Karma

MuS
SplunkTrust
SplunkTrust

look, since this looks like a newer install with almost no historical data I would suggest that you uninstall Splunk from your C: drive and install Splunk on a drive which holds more free space.

harshavrath
Contributor

In my C drive i have only 900MB so under general settings how much space do you advice me to set for "Pause Indexing.."

0 Karma

MuS
SplunkTrust
SplunkTrust

seams your C: drive is pretty tight on space, try to clean up to gain disk space and lower the disk space alert for splunk in server.conf minFreeSpace option or in the UI > settings > general settings > 'Pause indexing if disk space ...'

harshavrath
Contributor

I'm getting a new Error
The minimum free disk space (5000MB) reached for
(C:\Program Files\Splunk\var\run\splunk\dispatch)

0 Karma

harshavrath
Contributor

Thanks this worked now its showing Events Indexed:163,153

0 Karma

MuS
SplunkTrust
SplunkTrust

okay, you can restart Splunk from the UI as well since you don't want to keep the old data. Just in case you want/need to keep the old indexes, change the setting in the UI but don't restart yet. do a 'net stop splunkd', move data and do a 'net start'. You can stop/start Splunkweb, but this is not mandatory for this action.

harshavrath
Contributor

if i stop splunk how will i use the UI.?
As i require the UI to specify the new path under
Settings>System Settings>General Settings>Index Settings(Path to Indexes)

0 Karma

MuS
SplunkTrust
SplunkTrust

Yes, this will change the setting globally for all indexes. But you still have to move the files from 'old path' to 'new path' while Splunk is not running.

nawazns5038
Builder

how to do it in a cluster .... how to stop and move .... Can we delete the _internal data instead and change the homepath so that the new data goes to the new path

0 Karma

harshavrath
Contributor

Hi MuS

Can i directly change the path to f drive instead of c drive under the Splunk UI
Settings>System Settings>General Settings>Index Settings(Path to Indexes)

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...