Splunk Enterprise Security

oplogSize default value control


I am working with ES Splunk & want to increase the oplogSize from 1Gig to 2Gig..

From KVStore hammer .conf talk:

1GB even works fine for a while with
premium apps — until it doesn't


the default Serverconf file does not seem to have oplogSize setting at all. So how is the 1Gig limit enforced?

oplogSize = <integer>
* The size of the replication operation log, in MB, for environments
  with search head clustering or search head pooling.
  In a standalone environment, 20% of this size is used.
* After the KV Store has created the oplog for the first time, changing this
  setting does NOT affect the size of the oplog. A full backup and restart
  of the KV Store is required.
* Do not change this setting without first consulting with Splunk Support.
* Default: 1000MB (1GB)
0 Karma


The default is active regardless. You should contact support on the correct steps on increasing opLog in a search head cluster. There is a very very specific order you have to do things to not wipe out your kvstore contents and it can be done without a backup and restore. I would recommend 10GB in an active ES environment.

Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...