Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I control the size and number of Splunk's internal logs?

Mick
Splunk Employee
Splunk Employee
‎03-30-2010 06:38 PM

Some of our servers are running low on Disk capacity and we are concerned with splunk log files generated and stored on these boxes. The logfiles metrics.log.1 (2,3,4,5) are all 24.5 MB each. This causes the Spunk agent logs to eat up more 100MB in disk space.

Is there a way to limit the log files to just one and control the amount it can grow? If we can keep this log to 24MB in total that would be great.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

oreoshake
Communicator
‎03-30-2010 08:59 PM

$SPLUNK_HOME/etc/log.cfg

appender.metrics.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.metrics.maxBackupIndex=1

I usually cut the maxfilesize down to 5mb. You'll want to apply this to at least the splunkd.log as well

appender.A1.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.A1.maxBackupIndex=1

As mentioned in the doc, you should create a log-local.cfg so your settings don't get erased

View solution in original post

Reply
Solved! Jump to solution
Solution

oreoshake
Communicator
‎03-30-2010 08:59 PM

$SPLUNK_HOME/etc/log.cfg

appender.metrics.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.metrics.maxBackupIndex=1

I usually cut the maxfilesize down to 5mb. You'll want to apply this to at least the splunkd.log as well

appender.A1.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.A1.maxBackupIndex=1

As mentioned in the doc, you should create a log-local.cfg so your settings don't get erased

Reply
Solved! Jump to solution

Mick
Splunk Employee
Splunk Employee
‎03-30-2010 06:39 PM

Yes, this can be configured in $SPLUNK_HOME/etc/log.cfg and is documented at http://docs.splunk.com/Documentation/Splunk/5.0/Troubleshooting/WhatSplunklogsaboutitself

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...