Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Disk Space Issue on /opt/splunk

jaracan
Communicator
‎06-30-2020 02:04 AM

Hi Splunk Folks,

We have Splunk Physical Servers with 8GB disk space storage for /opt folder which frequently reaching 90% of the disk space threshold (7.2GB). Since we cannot easily upgrade the disk space because these are Physical servers, we are looking for files that we can remove or migrate.

We found this "/opt/splunk/var/lib/splunk/fishbucket/splunk_private_db/save" folder (1GB in size) that seems like containing the same files (btree_index.dat, btree_records.dat and snapshot) with its predecessor folder (/opt/splunk/var/lib/splunk/fishbucket/splunk_private_db)

Are questions are, what are these Splunk files do and does it safe if we will delete or move them to another folder to free some disk space on /opt?

Here is the commands we used to check which file has consume a large volume of diskspace

-bash-4.2$ df -h /opt/splunk
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg00-opt 8.0G 6.5G 1.6G 82% /opt

-bash-4.2$ du -h --max-depth=1 /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db
1001M /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db/save (Has the most consumed diskspace)
335M /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db/snapshot
1.7G /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db/ (Total)


If we look inside the "save" folder from /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db, we can see it has same files (btree_index.dat, btree_records.dat and snapshot) . Thus it just might be a backup of splunk_private_db

-bash-4.2$ ls -l /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db
-rw-------. 1 splunk splunk 104865400 Jun 24 04:52 btree_index.dat
-rw-------. 1 splunk splunk 246211800 Jun 24 04:56 btree_records.dat
drwx------. 3 splunk splunk 79 Jun 24 04:49 save
drwx------. 2 splunk splunk 70 Jun 24 04:49 snapshot

-bash-4.2$ ls -l /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db/save
-rw-------. 1 splunk splunk 152715440 Nov 22 2019 btree_index.dat
-rw-------. 1 splunk splunk 371572840 Nov 22 2019 btree_records.dat
drwx------. 2 splunk splunk 70 Nov 22 2019 snapshot

 

Regards,

John Kevin Aracan

Labels (2)
Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-30-2020 03:35 AM

Based on timestamps it’s probably your backup dir for some reason. I suppose that you could remove or move those to some other place.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...