Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What do you do if the minimum free disk space is reached on a fresh Splunk installation?

derejekifle
New Member
‎11-09-2017 09:45 AM

I have a fresh install of Splunk on a CentOS VM that has 15GB of disk..
I'm getting the following message... what do I need to do?

  1. Dispatch Command: The minimum free disk space (2000MB) reached for /opt/splunk/var/run/splunk/dispatch.
  2. Failed to start KV Store process. See mongod.log and splunkd.log for details.
  3. Disk Monitor: The index processor has paused data flow. Current free disk space on partition '/' has fallen to 347MB, below the minimum of 2000MB. Data writes to index path '/opt/splunk/var/lib/splunk/audit/db'cannot safely proceed. Increase free disk space on partition '/' by removing or relocating data.
  4. KV Store changed status to failed. KVStore process terminated
  5. KV Store process terminated abnormally (exit code 100, status exited with code 100). See mongod.log and splunkd.log for details.
0 Karma
Reply

codebuilder
Influencer
‎04-05-2019 03:33 PM

Configure logrotate and/or manually purge Splunk log files.

These are unfortunately located at /opt/splunk/var/log/splunk and /opt/splunk/var/log/introspection, which obviously count against your available space on /opt (which is usually small on a standard Linux install).

I generally symlink those directories to /var/log/splunk and /var/log/introspection, with /var/log being on it's own disk, VG, and LV
/dev/mapper/varlogvg01-varloglv01 e.g.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

hardikJsheth
Motivator
‎11-09-2017 10:30 AM

You are indexing more data than available space. Best would be to increase the disk size, if you are going to keep indexing at same rate.

Just to make it work you can reduce minimum recommended free space to 1GB by logging into your Splunk UI and goto Settings --> General Settings. Change the size for "Pause indexing if free disk space (in MB) falls below ". After changing this values you will have to restart your machine.

For KVStore if it doesn't work after restart check for error message in $SPLUNK_HOME/var/log/splunk/mongod.log.

0 Karma
Reply

tmarlette
Motivator
‎11-09-2017 10:25 AM

check your free disk space on CentOs under the /opt partition (assuming this is a stand alone instance). You've likely hit your max. if this is machine is a search head and an indexer, you're going to blow through 15GB almost after install.

keep in mind that all default indexes, as well as new indexes default to storing 500GB of data. This means that the index won't rotate out old data until each index hit's 500GB. I'm not sure how many indexes you have, but in your case, 1 is too many at 500GB. adjust the sizes to compensate, and get about 120GB or so on the /opt partition and you should be Ok for awhile.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...