Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does my search on specific indexer shows more GB of data than what is set up as part of maxtotalDataSizeMB?

abhi04
Communicator
‎07-01-2021 04:37 AM

I have set up the maxtotalDataSizeMB for main index as 20 GB. But when I try to run the search for the index main on this specific indexer it shows me more than 20 GB of data. I ran the search for last 10 days. Can someone explain the theory behind this.

How I understand is that it should only show 20 GB of data and whatever older events were there would have moved to frozen which is not searchable. But that's not what is happening in this case. Is there something that I am missing?

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-01-2021 06:31 AM

The maxTotalDataSizeMB setting applies to ALL data in the index, not just the last 10 days.  Try searching All Time.  What search are you using?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

abhi04
Communicator
‎07-01-2021 06:43 AM

Yes, the maxTotalDataSizeMB setting applies to ALL data in the index.

So, if I select ALL time for the search for the main index, it should only show around 20 GB of data in the search results?

 

Because I set the maxTotalDataSizeMB for main index as 20 GB, shouldn't I be seeing atmost 20 GB max data 

for any time frame? It could be less but not more than 20 GB.

 

Below is the query I used to determine how much data in GB is there for the main index.

 

index=main | eval raw_size_gb = (len(_raw) / 1024/ 1024/ 1024)
| timechart span=1d sum(raw_size_gb) as Index_Size_In_GB 

 

 

Please let me know if I am on the wrong path.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-01-2021 09:48 AM

Let's back up a little.  How much over 20MB are we talking here?  Did you restart the indexers after changing the maxTotalDataSizeMB setting?  What is the exact setting?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

abhi04
Communicator
‎07-01-2021 10:04 AM

Ye s, I restarted splunk after making changes.

 

Below is the settings

 

[main]
frozenTimePeriodInSecs = 1209600
maxTotalDataSizeMB = 20000

 

As per this screenshot we can see the sum of data seen is more than 20 GB

Splunk.png

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...