Splunk Enterprise Security

oplogSize default value control


I am working with ES Splunk & want to increase the oplogSize from 1Gig to 2Gig..

From KVStore hammer .conf talk:

1GB even works fine for a while with
premium apps — until it doesn't


the default Serverconf file does not seem to have oplogSize setting at all. So how is the 1Gig limit enforced?

oplogSize = <integer>
* The size of the replication operation log, in MB, for environments
  with search head clustering or search head pooling.
  In a standalone environment, 20% of this size is used.
* After the KV Store has created the oplog for the first time, changing this
  setting does NOT affect the size of the oplog. A full backup and restart
  of the KV Store is required.
* Do not change this setting without first consulting with Splunk Support.
* Default: 1000MB (1GB)
0 Karma


The default is active regardless. You should contact support on the correct steps on increasing opLog in a search head cluster. There is a very very specific order you have to do things to not wipe out your kvstore contents and it can be done without a backup and restore. I would recommend 10GB in an active ES environment.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...