Monitoring Splunk

When does Splunk roll internal logs?

Path Finder

I need to limit the disk usage on splunk's internal logs. (/opt/splunkforwarder/var/log/splunk). I've set the $SPLUNK_HOME/etc/log.cfg on the forwarder for ALL entries like this:

xxxxx.XX.maxFileSize=10000000 # default: 25MB (specified in bytes).

But I still have 5 metrics.log files and they're all 25MB after a splunk restart.

Any idea when they rotate and/or how to force it?



With the new settings Splunk will mantain only 2 files per log type, but it won´t delete the existing ones. So you need to delete manually the existing *.3 *.4 and *.5 files, to recover the used space



This is a good question, can anyone please update us on this?

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...