Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Diskspace Usage

Mkbell35
Engager
‎03-17-2012 02:17 PM

How do we manage the diskspace usage by splunk.

  1. Does it get truncate at x number of days?
  2. Do we need to setup an alert the monitor the splunk logs too?

[Converted to question from answer on this question]

Reply
1 Solution
Solved! Jump to solution
Solution

Drainy
Champion
‎03-17-2012 04:02 PM

This docs post explains it all pretty well;
http://docs.splunk.com/Documentation/Splunk/latest/admin/Setaretirementandarchivingpolicy

Essentially Splunk stores data in hot, warm and cold buckets and then eventually turns to a frozen state. You can define the time between these changes in seconds or size of the buckets. Frozen is a state where you can either choose to run a script to archive and move your oldest data, perhaps to external storage, or (by default) just have it deleted. This way you can configure your data to age out after a certain period of time.

You can set up alerts to monitor Splunk logs too if you really want, the alerting is only available in the trial Enterprise license or on a fully licensed Enterprise system. There is also an app called SoS which is available here that can help you monitor and analyse Splunk problems or errors. Bundled with Splunk is an app called the deployment monitor that you can also activate to help monitor your license usage.

Have a read of the link and pop back if you find you have any specific questions.

View solution in original post

Reply
Solved! Jump to solution
Solution

Drainy
Champion
‎03-17-2012 04:02 PM

This docs post explains it all pretty well;
http://docs.splunk.com/Documentation/Splunk/latest/admin/Setaretirementandarchivingpolicy

Essentially Splunk stores data in hot, warm and cold buckets and then eventually turns to a frozen state. You can define the time between these changes in seconds or size of the buckets. Frozen is a state where you can either choose to run a script to archive and move your oldest data, perhaps to external storage, or (by default) just have it deleted. This way you can configure your data to age out after a certain period of time.

You can set up alerts to monitor Splunk logs too if you really want, the alerting is only available in the trial Enterprise license or on a fully licensed Enterprise system. There is also an app called SoS which is available here that can help you monitor and analyse Splunk problems or errors. Bundled with Splunk is an app called the deployment monitor that you can also activate to help monitor your license usage.

Have a read of the link and pop back if you find you have any specific questions.

Reply
Solved! Jump to solution

Mkbell35
Engager
‎03-18-2012 10:12 AM

Thanks so much for your help well explained and to your offers.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...