Monitoring Splunk

can anyone suggest cleanup the splunk mount point. i see /opt/splunk is almost full. please give some suggestion .

New Member

can anyone suggest cleanup the splunk mount point. i see /opt/splunk is almost full. please give some suggestion . which are the path we can clean up.

Tags (1)
0 Karma

Ultra Champion

hello there,

will suggest to leverage indexes.conf settings to make sure you never need to clean up your mount point.
for example, if you are setting up volumes and configuring the total size of volume/s to be lets say 80% of the size of the mount you will never need to clean up again. oh yeah, it will actually also force the older buckets to roll out due to size restrictions and therefore will clean up the mount as you implement the settings
use these settings to achieve:

maxVolumeDataSizeMB = <positive integer>
* Optional, ignored for storageType=remote
* If set, this attribute limits the total size of all databases that reside
  on this volume to the maximum size specified, in MB.  Note that this it
  will act only on those indexes which reference this volume, not on the
  total size of the path set in the path attribute of this volume.
* If the size is exceeded, Splunk will remove buckets with the oldest value
  of latest time (for a given bucket) across all indexes in the volume,
  until the volume is below the maximum size.  This is the trim operation.
  Note that this can cause buckets to be chilled [moved to cold] directly
  from a hot DB, if those buckets happen to have the least value of
  latest-time (LT) across all indexes in the volume.
* Highest legal value is 4294967295, lowest legal value is 1.

read here more:

0 Karma


If you want you can delete some data from the var folder from cold buckets.

0 Karma
Get Updates on the Splunk Community!

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...