Splunk Enterprise

How to Configure maxDataSize for high volume?

DavidCaputo
Path Finder

Hi,

I have an index in wich I collect a lot of data, approximately 40 Gb/day.
In the indexes.conf, I guess I've made a mistake and configured :

maxDataSize = auto

Now, it looks like I'm loosing data older than 3 month (roughly) and I guess it's due to this parameter.

In the documentation (I should have read it before !), I can see for maxDataSize : "You should use "auto_high_volume" for high-volume indexes ... A "high volume index" would typically be considered one that gets over 10GB of data per day."

1/ Is it possible to change this parameter for an existing index ?
Obviously, regarding the volume I want to ingest, the "auto_high_volume" is more appropriate
(==> "maxDataSize = auto_high_volume" in the indexes.conf)

2/ Is there any other reason why I am losing data ?

Thanks for your help !
David

Labels (1)
0 Karma
1 Solution

smurf
Communicator

Hi,

maxDataSize tells Splunk how large each bucket can be.

If you are losing old data, you could look for one of these settings:

  • maxTotalDataSizeMB
  • frozenTimePeriodInSecs
  • coldPath.maxDataSizeMB / homePath.maxDataSizeMB

Having any of these would limit the amout of data that is stored in the index. If you are losing everything that is older than 3 months, I would especially look for the attribute frozenTimePeriodInSecs (The number of seconds after which indexed data rolls to frozen.).

View solution in original post

0 Karma

smurf
Communicator

Hi,

maxDataSize tells Splunk how large each bucket can be.

If you are losing old data, you could look for one of these settings:

  • maxTotalDataSizeMB
  • frozenTimePeriodInSecs
  • coldPath.maxDataSizeMB / homePath.maxDataSizeMB

Having any of these would limit the amout of data that is stored in the index. If you are losing everything that is older than 3 months, I would especially look for the attribute frozenTimePeriodInSecs (The number of seconds after which indexed data rolls to frozen.).

0 Karma

DavidCaputo
Path Finder

Thanks smurf for your quick answer,

 

frozenTimePeriodInSecs = 48000000 (~ 18 month, I guess it's enough )

For  coldPath.maxDataSizeMB / homePath.maxDataSizeMB, I can see in the doc :

If this attribute is missing or set to 0, Splunk will not constrain the
  size of homePath.
* Highest legal value is 4294967295
* Defaults to 0.

 

So, I'm going to try first to set the "maxTotalDataSizeMB" to a larger value than the default one.

 

0 Karma

smurf
Communicator

I find Monitoring Console good place for debugging Indexes.

Try Monitoring Console -> Indexing -> Indexes and Volumes -> Indexes and Volumes: Instance.

There you have a nice overview of all indexes with their sizes, data age, etc.

0 Karma

DavidCaputo
Path Finder

It looks like the maxTotalDataSizeMB solve my problem.

Thanks smurf

David

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...