I need to limit the disk usage on splunk's internal logs. (/opt/splunkforwarder/var/log/splunk). I've set the $SPLUNK_HOME/etc/log.cfg on the forwarder for ALL entries like this:
xxxxx.XX.maxFileSize=10000000 # default: 25MB (specified in bytes).
But I still have 5 metrics.log files and they're all 25MB after a splunk restart.
Any idea when they rotate and/or how to force it?
With the new settings Splunk will mantain only 2 files per log type, but it won´t delete the existing ones. So you need to delete manually the existing *.3 *.4 and *.5 files, to recover the used space
This is a good question, can anyone please update us on this?