Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

can anyone suggest cleanup the splunk mount point. i see /opt/splunk is almost full. please give some suggestion .

shivanandbm
New Member
‎06-07-2018 11:21 PM

can anyone suggest cleanup the splunk mount point. i see /opt/splunk is almost full. please give some suggestion . which are the path we can clean up.

Tags (1)
0 Karma
Reply

adonio
Ultra Champion
‎06-09-2018 06:15 AM

hello there,

will suggest to leverage indexes.conf settings to make sure you never need to clean up your mount point.
for example, if you are setting up volumes and configuring the total size of volume/s to be lets say 80% of the size of the mount you will never need to clean up again. oh yeah, it will actually also force the older buckets to roll out due to size restrictions and therefore will clean up the mount as you implement the settings
use these settings to achieve:

maxVolumeDataSizeMB = <positive integer>
* Optional, ignored for storageType=remote
* If set, this attribute limits the total size of all databases that reside
  on this volume to the maximum size specified, in MB.  Note that this it
  will act only on those indexes which reference this volume, not on the
  total size of the path set in the path attribute of this volume.
* If the size is exceeded, Splunk will remove buckets with the oldest value
  of latest time (for a given bucket) across all indexes in the volume,
  until the volume is below the maximum size.  This is the trim operation.
  Note that this can cause buckets to be chilled [moved to cold] directly
  from a hot DB, if those buckets happen to have the least value of
  latest-time (LT) across all indexes in the volume.
* Highest legal value is 4294967295, lowest legal value is 1.

read here more:
https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Indexesconf

0 Karma
Reply

raghu0463
Explorer
‎06-08-2018 01:01 PM

If you want you can delete some data from the var folder from cold buckets.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...