Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

postfix and /var/spool/postfix/maildrop directory are having issues on my Splunk server

robertlynch2020
Influencer
‎02-03-2020 05:21 AM

HI

My system admins are having issues with the Splunk server on the /var. They are saving it is heavily used. (ONLY in the day time does this look like it is happening!).

For example from 9:30 this morning we have written 600MB in 4 hours. SO they are having to clean it down etc..

We do have alerts, but not at this frequency, any idea what could be going on?

Thanks
Robert Lynch

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

robertlynch2020
Influencer
‎02-04-2020 08:29 AM

HI

Thanks for your replay, in the end we found the issue.
We have saved a PDF on a dashboard for cron 1 minutes (scheduled PDF delivery ), it was running non stop and caused this issue.

Regards
Robert Lynch

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

robertlynch2020
Influencer
‎02-04-2020 08:29 AM

HI

Thanks for your replay, in the end we found the issue.
We have saved a PDF on a dashboard for cron 1 minutes (scheduled PDF delivery ), it was running non stop and caused this issue.

Regards
Robert Lynch

0 Karma
Reply
Solved! Jump to solution

gfreitas
Builder
‎02-03-2020 06:07 AM

Could you provide more information? It is not clear if you're saying Splunk is causing the issue or postfix. Do you believe Splunk is sending e-mails to your local postfix and that is filling the disk?
You can check with the following search to see if Splunk is sending thousands of e-mails: index=_internal sendemail source="*python.log" and index=_internal sendemail source="*splunkd.log" to have an idea

Reply
Solved! Jump to solution

robertlynch2020
Influencer
‎02-04-2020 08:29 AM

HI

Thanks for your replay, in the end we found the issue.
We have saved a PDF on a dashboard for cron 1 minutes (scheduled PDF delivery ), it was running non stop and caused this issue.

Regards
Robert Lynch

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...