Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Diskspace Usage

Mkbell35
Engager
‎03-17-2012 02:17 PM

How do we manage the diskspace usage by splunk.

  1. Does it get truncate at x number of days?
  2. Do we need to setup an alert the monitor the splunk logs too?

[Converted to question from answer on this question]

Reply
1 Solution
Solved! Jump to solution
Solution

Drainy
Champion
‎03-17-2012 04:02 PM

This docs post explains it all pretty well;
http://docs.splunk.com/Documentation/Splunk/latest/admin/Setaretirementandarchivingpolicy

Essentially Splunk stores data in hot, warm and cold buckets and then eventually turns to a frozen state. You can define the time between these changes in seconds or size of the buckets. Frozen is a state where you can either choose to run a script to archive and move your oldest data, perhaps to external storage, or (by default) just have it deleted. This way you can configure your data to age out after a certain period of time.

You can set up alerts to monitor Splunk logs too if you really want, the alerting is only available in the trial Enterprise license or on a fully licensed Enterprise system. There is also an app called SoS which is available here that can help you monitor and analyse Splunk problems or errors. Bundled with Splunk is an app called the deployment monitor that you can also activate to help monitor your license usage.

Have a read of the link and pop back if you find you have any specific questions.

View solution in original post

Reply
Solved! Jump to solution
Solution

Drainy
Champion
‎03-17-2012 04:02 PM

This docs post explains it all pretty well;
http://docs.splunk.com/Documentation/Splunk/latest/admin/Setaretirementandarchivingpolicy

Essentially Splunk stores data in hot, warm and cold buckets and then eventually turns to a frozen state. You can define the time between these changes in seconds or size of the buckets. Frozen is a state where you can either choose to run a script to archive and move your oldest data, perhaps to external storage, or (by default) just have it deleted. This way you can configure your data to age out after a certain period of time.

You can set up alerts to monitor Splunk logs too if you really want, the alerting is only available in the trial Enterprise license or on a fully licensed Enterprise system. There is also an app called SoS which is available here that can help you monitor and analyse Splunk problems or errors. Bundled with Splunk is an app called the deployment monitor that you can also activate to help monitor your license usage.

Have a read of the link and pop back if you find you have any specific questions.

Reply
Solved! Jump to solution

Mkbell35
Engager
‎03-18-2012 10:12 AM

Thanks so much for your help well explained and to your offers.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...