Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Platform
- :
- Splunk Cloud Platform
- :
- Splunk Cloud Index MaxSize Issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey everyone,
I have a question on Splunk Cloud Index MaxSize.
I am having an issue with Splunk Cloud Index MaxSize. My index max size is set to 500GB, but the current size has reached 530GB, and some latest events (from last week) are not in the index but are going to archive storage.
We have 3 months of searchable retention and 3 months of archive, and the archive dashboard is showing the latest event from last week.
We have 8 indexers, which are clustered, and two dedicated search heads (not clustered).
My question is, can I update the index maxsize (to unlimited) on the GUI, and will it replicate to all the indexers and 2 search heads, or should I open a support case for that?
The second question is, can I restore the logs that went to archiving due to a maxsize issue to a searchable index again?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI @tech_g706
Im not sure why data from last week would be going to archive, this might be something you need to speak to Splunk support about, however regarding the retrieval of the archive data then if this is in DDAA then you can temporarily restore it but I dont think its possible to keep it restored.
I would speak to Splunk Support - if there has been an issue which has caused the data to archive prematurely then they may be able to have it restored for you, but it isnt something that you'd be able to do yourself.
If you update the Max size via the GUI it will replicate the configuration to the relevant components within the Splunk Cloud stack - you do not need to worry so much about how/where it goes 🙂
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI @tech_g706
Im not sure why data from last week would be going to archive, this might be something you need to speak to Splunk support about, however regarding the retrieval of the archive data then if this is in DDAA then you can temporarily restore it but I dont think its possible to keep it restored.
I would speak to Splunk Support - if there has been an issue which has caused the data to archive prematurely then they may be able to have it restored for you, but it isnt something that you'd be able to do yourself.
If you update the Max size via the GUI it will replicate the configuration to the relevant components within the Splunk Cloud stack - you do not need to worry so much about how/where it goes 🙂
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
Aligning Observability Costs with Business Value: Practical Strategies
Mastering Data Pipelines: Unlocking Value with Splunk
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
