Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Possible to move Splunk's log folder ($SPLUNK_HOME/var/log/splunk) ?

Jason
Motivator
‎12-14-2010 09:29 PM

I know a couple of Splunk's internal logs in var/log/splunk can grow to 25MB and roll up to 5 times. This can cause hundreds of megs of space to be used.

Is it possible to point Splunk at a different folder (partition, etc) for its logs?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎12-15-2010 06:14 PM

The paths, sizing, and number of logs generated by splunk are mostly (though not completely) defined in $SPLUNK_HOME/etc/log.cfg Unfortunately there are some log files (eg splunkd_stderr.log) which are effectively hardcoded. Symbolic links will work to redirect the logs, but be very certain that it will be a reasonably performant and reliable storage location.

You can override these settings in $SPLUNK_HOME/etc/log-local.cfg ; for example, you could keep a smaller quantity of files for some categories, or reduce the size of some of them. For a light forwarder on a system with limited space this may be advisable. I do recommend avoiding the temptation to trim them to the bone, especially the main splunkd log, as you may want to review them at a later point to troubleshoot.

There's some somewhat dated information on this topic here: http://www.splunk.com/wiki/Community:MinimizingForwarderFootprint

View solution in original post

Reply
Solved! Jump to solution

alsur
New Member
‎03-13-2013 02:33 AM

I've succesfully moved only the logs by a symlink to /var/log/splunk pointing at /opt/splunk/var/log/splunk. Our /logs partition is on a separate disk.

0 Karma
Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎12-15-2010 06:14 PM

The paths, sizing, and number of logs generated by splunk are mostly (though not completely) defined in $SPLUNK_HOME/etc/log.cfg Unfortunately there are some log files (eg splunkd_stderr.log) which are effectively hardcoded. Symbolic links will work to redirect the logs, but be very certain that it will be a reasonably performant and reliable storage location.

You can override these settings in $SPLUNK_HOME/etc/log-local.cfg ; for example, you could keep a smaller quantity of files for some categories, or reduce the size of some of them. For a light forwarder on a system with limited space this may be advisable. I do recommend avoiding the temptation to trim them to the bone, especially the main splunkd log, as you may want to review them at a later point to troubleshoot.

There's some somewhat dated information on this topic here: http://www.splunk.com/wiki/Community:MinimizingForwarderFootprint

Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎12-17-2010 07:17 PM

Yeah, sorry. There's a bit of chicken-and-egg problem around making this configurable via the bundles/apps layering system. Please do file an Enhancement Request with the background need so we can try to get smarter in the future. I think this is essentially "light forwarders really need to use somewhat less disk space for logging", but hearing how it affects each customer in their own terms really helps product management to prioritize and get things addressed. The interface to file an ER is to file a support ticket that says it is an ER.

0 Karma
Reply
Solved! Jump to solution

Jason
Motivator
‎12-16-2010 11:38 PM

Argh - etc/log-local.cfg sounds un-editable by deployment server. Not at all ideal for large number of forwarders!

0 Karma
Reply
Solved! Jump to solution

balbano
Contributor
‎12-14-2010 11:29 PM

Agree with jbslunk.

Symlinks are the way to go.

Just move your splunk home directory to wherever you want and create the symlink in /opt which points to the splunk folder. Symlink has to be called splunk.

I've done it to one or two of my splunk instances.

Hope that helps.

B

Reply
Solved! Jump to solution

jbsplunk
Splunk Employee
Splunk Employee
‎12-14-2010 10:20 PM

The log files locations are hard coded. You could, however, use symlinks to trick Splunk into thinking it is generating logs in one location while writing files to the symlinked location with more space.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...