How to determine what is filling up your index space



I have an index(es) that are beginning to rapidly fill up my filesystems on a cluster. What is the quickest way to determine who the culprits are?

0 Karma


You can use firebrigade or dbinspect to see what indexes take up how much space in which buckets, and what your compression ratio is. You can use SoS or the new Distributed Management Console or the Licensing views to see what hosts, sourcetypes, etc. make up the most incoming data. Additionally, take cluster search and replication factors into account.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!