/logs/audit/db/ -- delete files from this folder

stevewong1290 · ‎12-07-2012

Received some error that indexing is paused since /logs/audit/db/ was full of logs. Deleted some of the folders from /logs/audit/db/ to clear some space and now Splunkd does not start. Please assist in getting this working again. Thanks in advance.

lguinn2 · ‎12-08-2012

Check to see if the disk that Splunk uses for indexing is out of space. This will cause Splunk to stop indexing.
As the Splunk admin, look under Manager -> System Settings -> General Settings for the following values

Path to indexes - this is where the Splunk indexes are stored. From this, you should be able to tell which volume/disk is being used.

Pause indexing if free disk space falls below - this setting defines the minimum free disk space. If the free space on the disk/volume falls below this, Splunk will pause indexing.

More information on these settings here (Scroll to the last part of the page.)

I believe this is probably what has happened here. But I could be wrong. How many files were in the /log/audit/db directory? What was the exact error message? (You can find it in $SPLUNK_HOME/var/log/splunk/splunkd.log)

/logs/audit/db/ -- delete files from this folder

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?

Are you a member of the Splunk Community?

/logs/audit/db/ -- delete files from this folder

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?