Monitoring Splunk

When does Splunk roll internal logs?

glitchcowboy
Path Finder

I need to limit the disk usage on splunk's internal logs. (/opt/splunkforwarder/var/log/splunk). I've set the $SPLUNK_HOME/etc/log.cfg on the forwarder for ALL entries like this:

xxxxx.XX.maxFileSize=10000000 # default: 25MB (specified in bytes).
xxxxx.XX.maxBackupIndex=2

But I still have 5 metrics.log files and they're all 25MB after a splunk restart.

Any idea when they rotate and/or how to force it?

gfuente
Motivator

Hello

With the new settings Splunk will mantain only 2 files per log type, but it won´t delete the existing ones. So you need to delete manually the existing *.3 *.4 and *.5 files, to recover the used space

Regards

Dark_Ichigo
Builder

This is a good question, can anyone please update us on this?

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...