Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Configure maxDataSize for high volume?

DavidCaputo
Path Finder
‎04-05-2022 03:02 AM

Hi,

I have an index in wich I collect a lot of data, approximately 40 Gb/day.
In the indexes.conf, I guess I've made a mistake and configured :

maxDataSize = auto

Now, it looks like I'm loosing data older than 3 month (roughly) and I guess it's due to this parameter.

In the documentation (I should have read it before !), I can see for maxDataSize : "You should use "auto_high_volume" for high-volume indexes ... A "high volume index" would typically be considered one that gets over 10GB of data per day."

1/ Is it possible to change this parameter for an existing index ?
Obviously, regarding the volume I want to ingest, the "auto_high_volume" is more appropriate
(==> "maxDataSize = auto_high_volume" in the indexes.conf)

2/ Is there any other reason why I am losing data ?

Thanks for your help !
David

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

smurf
Communicator
‎04-05-2022 03:16 AM

Hi,

maxDataSize tells Splunk how large each bucket can be.

If you are losing old data, you could look for one of these settings:

  • maxTotalDataSizeMB
  • frozenTimePeriodInSecs
  • coldPath.maxDataSizeMB / homePath.maxDataSizeMB

Having any of these would limit the amout of data that is stored in the index. If you are losing everything that is older than 3 months, I would especially look for the attribute frozenTimePeriodInSecs (The number of seconds after which indexed data rolls to frozen.).

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

smurf
Communicator
‎04-05-2022 03:16 AM

Hi,

maxDataSize tells Splunk how large each bucket can be.

If you are losing old data, you could look for one of these settings:

  • maxTotalDataSizeMB
  • frozenTimePeriodInSecs
  • coldPath.maxDataSizeMB / homePath.maxDataSizeMB

Having any of these would limit the amout of data that is stored in the index. If you are losing everything that is older than 3 months, I would especially look for the attribute frozenTimePeriodInSecs (The number of seconds after which indexed data rolls to frozen.).

0 Karma
Reply
Solved! Jump to solution

DavidCaputo
Path Finder
‎04-05-2022 03:34 AM

Thanks smurf for your quick answer,

 

frozenTimePeriodInSecs = 48000000 (~ 18 month, I guess it's enough )

For  coldPath.maxDataSizeMB / homePath.maxDataSizeMB, I can see in the doc :

If this attribute is missing or set to 0, Splunk will not constrain the
  size of homePath.
* Highest legal value is 4294967295
* Defaults to 0.

 

So, I'm going to try first to set the "maxTotalDataSizeMB" to a larger value than the default one.

 

0 Karma
Reply
Solved! Jump to solution

smurf
Communicator
‎04-05-2022 05:00 AM

I find Monitoring Console good place for debugging Indexes.

Try Monitoring Console -> Indexing -> Indexes and Volumes -> Indexes and Volumes: Instance.

There you have a nice overview of all indexes with their sizes, data age, etc.

0 Karma
Reply
Solved! Jump to solution

DavidCaputo
Path Finder
‎04-05-2022 11:20 PM

It looks like the maxTotalDataSizeMB solve my problem.

Thanks smurf

David

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...