Solved: How can I control the size and number of Splunk's ...

Mick · ‎03-30-2010

Some of our servers are running low on Disk capacity and we are concerned with splunk log files generated and stored on these boxes. The logfiles metrics.log.1 (2,3,4,5) are all 24.5 MB each. This causes the Spunk agent logs to eat up more 100MB in disk space.

Is there a way to limit the log files to just one and control the amount it can grow? If we can keep this log to 24MB in total that would be great.

oreoshake · ‎03-30-2010

$SPLUNK_HOME/etc/log.cfg

appender.metrics.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.metrics.maxBackupIndex=1

I usually cut the maxfilesize down to 5mb. You'll want to apply this to at least the splunkd.log as well

appender.A1.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.A1.maxBackupIndex=1

As mentioned in the doc, you should create a log-local.cfg so your settings don't get erased

View solution in original post

oreoshake · ‎03-30-2010

$SPLUNK_HOME/etc/log.cfg

appender.metrics.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.metrics.maxBackupIndex=1

I usually cut the maxfilesize down to 5mb. You'll want to apply this to at least the splunkd.log as well

appender.A1.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.A1.maxBackupIndex=1

As mentioned in the doc, you should create a log-local.cfg so your settings don't get erased

Mick · ‎03-30-2010

Yes, this can be configured in $SPLUNK_HOME/etc/log.cfg and is documented at http://docs.splunk.com/Documentation/Splunk/5.0/Troubleshooting/WhatSplunklogsaboutitself

How can I control the size and number of Splunk's internal logs?

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!