Some of our servers are running low on Disk capacity and we are concerned with splunk log files generated and stored on these boxes. The logfiles metrics.log.1 (2,3,4,5) are all 24.5 MB each. This causes the Spunk agent logs to eat up more 100MB in disk space.
Is there a way to limit the log files to just one and control the amount it can grow? If we can keep this log to 24MB in total that would be great.
$SPLUNK_HOME/etc/log.cfg
appender.metrics.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.metrics.maxBackupIndex=1
I usually cut the maxfilesize down to 5mb. You'll want to apply this to at least the splunkd.log as well
appender.A1.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.A1.maxBackupIndex=1
As mentioned in the doc, you should create a log-local.cfg so your settings don't get erased
$SPLUNK_HOME/etc/log.cfg
appender.metrics.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.metrics.maxBackupIndex=1
I usually cut the maxfilesize down to 5mb. You'll want to apply this to at least the splunkd.log as well
appender.A1.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.A1.maxBackupIndex=1
As mentioned in the doc, you should create a log-local.cfg so your settings don't get erased
Yes, this can be configured in $SPLUNK_HOME/etc/log.cfg
and is documented at http://docs.splunk.com/Documentation/Splunk/5.0/Troubleshooting/WhatSplunklogsaboutitself