Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I control the size and number of Splunk's internal logs?

Mick
Splunk Employee
Splunk Employee
‎03-30-2010 06:38 PM

Some of our servers are running low on Disk capacity and we are concerned with splunk log files generated and stored on these boxes. The logfiles metrics.log.1 (2,3,4,5) are all 24.5 MB each. This causes the Spunk agent logs to eat up more 100MB in disk space.

Is there a way to limit the log files to just one and control the amount it can grow? If we can keep this log to 24MB in total that would be great.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

oreoshake
Communicator
‎03-30-2010 08:59 PM

$SPLUNK_HOME/etc/log.cfg

appender.metrics.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.metrics.maxBackupIndex=1

I usually cut the maxfilesize down to 5mb. You'll want to apply this to at least the splunkd.log as well

appender.A1.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.A1.maxBackupIndex=1

As mentioned in the doc, you should create a log-local.cfg so your settings don't get erased

View solution in original post

Reply
Solved! Jump to solution
Solution

oreoshake
Communicator
‎03-30-2010 08:59 PM

$SPLUNK_HOME/etc/log.cfg

appender.metrics.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.metrics.maxBackupIndex=1

I usually cut the maxfilesize down to 5mb. You'll want to apply this to at least the splunkd.log as well

appender.A1.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.A1.maxBackupIndex=1

As mentioned in the doc, you should create a log-local.cfg so your settings don't get erased

Reply
Solved! Jump to solution

Mick
Splunk Employee
Splunk Employee
‎03-30-2010 06:39 PM

Yes, this can be configured in $SPLUNK_HOME/etc/log.cfg and is documented at http://docs.splunk.com/Documentation/Splunk/5.0/Troubleshooting/WhatSplunklogsaboutitself

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...