Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does my search on specific indexer shows more GB of data than what is set up as part of maxtotalDataSizeMB?

abhi04
Communicator
‎07-01-2021 04:37 AM

I have set up the maxtotalDataSizeMB for main index as 20 GB. But when I try to run the search for the index main on this specific indexer it shows me more than 20 GB of data. I ran the search for last 10 days. Can someone explain the theory behind this.

How I understand is that it should only show 20 GB of data and whatever older events were there would have moved to frozen which is not searchable. But that's not what is happening in this case. Is there something that I am missing?

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-01-2021 06:31 AM

The maxTotalDataSizeMB setting applies to ALL data in the index, not just the last 10 days.  Try searching All Time.  What search are you using?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

abhi04
Communicator
‎07-01-2021 06:43 AM

Yes, the maxTotalDataSizeMB setting applies to ALL data in the index.

So, if I select ALL time for the search for the main index, it should only show around 20 GB of data in the search results?

 

Because I set the maxTotalDataSizeMB for main index as 20 GB, shouldn't I be seeing atmost 20 GB max data 

for any time frame? It could be less but not more than 20 GB.

 

Below is the query I used to determine how much data in GB is there for the main index.

 

index=main | eval raw_size_gb = (len(_raw) / 1024/ 1024/ 1024)
| timechart span=1d sum(raw_size_gb) as Index_Size_In_GB 

 

 

Please let me know if I am on the wrong path.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-01-2021 09:48 AM

Let's back up a little.  How much over 20MB are we talking here?  Did you restart the indexers after changing the maxTotalDataSizeMB setting?  What is the exact setting?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

abhi04
Communicator
‎07-01-2021 10:04 AM

Ye s, I restarted splunk after making changes.

 

Below is the settings

 

[main]
frozenTimePeriodInSecs = 1209600
maxTotalDataSizeMB = 20000

 

As per this screenshot we can see the sum of data seen is more than 20 GB

Splunk.png

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...