Splunk Enterprise Security
Highlighted

oplogSize default value control

Contributor

I am working with ES Splunk & want to increase the oplogSize from 1Gig to 2Gig..

From KVStore hammer .conf talk:

1GB even works fine for a while with
premium apps — until it doesn't

https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Serverconf

the default Serverconf file does not seem to have oplogSize setting at all. So how is the 1Gig limit enforced?

oplogSize = <integer>
* The size of the replication operation log, in MB, for environments
  with search head clustering or search head pooling.
  In a standalone environment, 20% of this size is used.
* After the KV Store has created the oplog for the first time, changing this
  setting does NOT affect the size of the oplog. A full backup and restart
  of the KV Store is required.
* Do not change this setting without first consulting with Splunk Support.
* Default: 1000MB (1GB)
0 Karma
Highlighted

Re: oplogSize default value control

SplunkTrust
SplunkTrust

The default is active regardless. You should contact support on the correct steps on increasing opLog in a search head cluster. There is a very very specific order you have to do things to not wipe out your kvstore contents and it can be done without a backup and restore. I would recommend 10GB in an active ES environment.