Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

HI Team we are facing disk storage warning on license master. Can you suggest if we can remove some DB files.

Hemant93
Loves-to-Learn Lots
‎10-25-2023 01:34 AM


Can you suggest on this if we remove the 2022 files so will be any impact on splunk

</opt/app/splunk/var/lib/splunk/os/db>ls -lrt
total 644
-rw------- 1 splunk splunk  10 Jan 18 2022 CreationTime
drwx--x--- 2 splunk splunk 4096 Jan 18 2022 GlobalMetaData
drwx--x--- 3 splunk splunk 4096 Jan 18 2022 db_1642559010_1641112260_0
drwx--x--- 3 splunk splunk 4096 Feb 26 2022 db_1645905109_1644968889_4
drwx--x--- 3 splunk splunk 4096 Feb 26 2022 db_1625407961_1565097054_1
drwx--x--- 3 splunk splunk 4096 Feb 26 2022 db_1564424430_1323199008_2
drwx--x--- 3 splunk splunk 4096 Feb 26 2022 db_1645912526_1645346582_5
drwx--x--- 3 splunk splunk 4096 Feb 26 2022 db_1644968878_1642559018_3
drwx--x--- 3 splunk splunk 4096 Feb 26 2022 db_1645931413_1641472459_8
drwx--x--- 3 splunk splunk 4096 Feb 27 2022 db_1646022282_1645905131_11
drwx--x--- 3 splunk splunk 4096 Feb 28 2022 db_1646061049_1646022278_12
drwx--x--- 3 splunk splunk 4096 Mar 31 2022 db_1648760328_1646061038_13
drwx--x--- 3 splunk splunk 4096 May 1 2022 db_1651428760_1648760301_14
drwx--x--- 3 splunk splunk 4096 Jun 1 2022 db_1654064390_1651428766_16
drwx--x--- 3 splunk splunk 4096 Jul 1 2022 db_1656658688_1654064392_17
drwx--x--- 3 splunk splunk 4096 Jul 30 2022 db_1659238089_1656658690_18
drwx--x--- 3 splunk splunk 4096 Aug 6 2022 db_1625407961_1569499319_9
drwx--x--- 3 splunk splunk 4096 Aug 6 2022 db_1625407908_1587017816_6
drwx--x--- 3 splunk splunk 4096 Aug 6 2022 db_1568123891_1361996942_7
drwx--x--- 3 splunk splunk 4096 Aug 6 2022 db_1566397752_1323199008_10
drwx--x--- 3 splunk splunk 4096 Aug 6 2022 db_1659536784_1659238115_19
drwx--x--- 3 splunk splunk 4096 Aug 6 2022 db_1590756532_1590756532_15
drwx--x--- 3 splunk splunk 4096 Sep 12 2022 db_1662507027_1659807171_20
drwx--x--- 3 splunk splunk 4096 Sep 19 2022 db_1663592993_1662507051_21
drwx--x--- 3 splunk splunk 4096 Sep 19 2022 db_1663597969_1663592971_24
drwx--x--- 3 splunk splunk 4096 Sep 19 2022 db_1663600052_1663597937_25
drwx--x--- 3 splunk splunk 4096 Oct 20 2022 db_1666239485_1663600060_26
drwx--x--- 3 splunk splunk 4096 Nov 15 2022 db_1668525038_1666239467_27
drwx--x--- 3 splunk splunk 4096 Nov 15 2022 db_1668525264_1668525013_29
drwx--x--- 3 splunk splunk 4096 Dec 13 2022 db_1660748402_1645073785_31
drwx--x--- 3 splunk splunk 4096 Dec 15 2022 db_1671120985_1668526212_32



Labels (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-26-2023 04:33 AM

Wait a second.

/opt/app/splunk/var/lib/splunk/os/db - is this the location of your index data? Why is it not empty on a component not being an indexer? Properly set up environment should forward all logs to indexers, no other components should store events locally.

That's first thing.

Another thing is that if you want to get rid of old data, the proper way to do so would be to lower the retention limits (retention period or size limit) and let splunk roll out buckets to frozen naturally.

0 Karma
Reply

Hemant93
Loves-to-Learn Lots
‎10-27-2023 04:59 AM

@PickleRick this is our license master and i understand that it supposed to be not indexer any data.
So we have some files of 2022 and 2023 so . can we remove these files of 2022?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-27-2023 05:38 AM

As I said, the proper way to get rid of old files would be to reduce the limits for the indexes you want to trim and let Splunk roll the buckets to frozen on its own.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-25-2023 02:16 AM

>>> we are facing disk storage warning on license master.

is it a clustered environment? is it a single indexer, single SH environment? how critical the data is? the license master co-host's any other splunk instance?(or there any other SH/indexer created along with the License Master?)


>>> Can you suggest if we can remove some DB files.
Are these directories huge or small(if they are small, deleting may not save more disk ! )

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

Hemant93
Loves-to-Learn Lots
‎10-26-2023 01:34 AM

@inventsekar 
Yes its a cluster envrioment.

we have 6 indexers.

we have single  SH.

 

Yes those files are taking upto 68 GB .

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...