Monitoring Splunk

can anyone suggest cleanup the splunk mount point. i see /opt/splunk is almost full. please give some suggestion . which are the path we can clean up.

Ultra Champion

hello there,

will suggest to leverage indexes.conf settings to make sure you never need to clean up your mount point.
for example, if you are setting up volumes and configuring the total size of volume/s to be lets say 80% of the size of the mount you will never need to clean up again. oh yeah, it will actually also force the older buckets to roll out due to size restrictions and therefore will clean up the mount as you implement the settings
use these settings to achieve:

maxVolumeDataSizeMB = <positive integer>
* Optional, ignored for storageType=remote
* If set, this attribute limits the total size of all databases that reside
  on this volume to the maximum size specified, in MB.  Note that this it
  will act only on those indexes which reference this volume, not on the
  total size of the path set in the path attribute of this volume.
* If the size is exceeded, Splunk will remove buckets with the oldest value
  of latest time (for a given bucket) across all indexes in the volume,
  until the volume is below the maximum size.  This is the trim operation.
  Note that this can cause buckets to be chilled [moved to cold] directly
  from a hot DB, if those buckets happen to have the least value of
  latest-time (LT) across all indexes in the volume.
* Highest legal value is 4294967295, lowest legal value is 1.

read here more:

If you want you can delete some data from the var folder from cold buckets.

