Re: datamodel acceleration doesn't remove old guid

sarit_s · ‎03-16-2021

Hello,
We are running DM acceleration, we saw that every time the acceleration is running the disk got full.

After investigation, we saw that the data of the old guid does not removed from disk and that cause our disk full.

We are running Splunk using Docker image and using ansible. looks like it is an issue with ansible but im not sure.

Any idea anyone ?

Thanks

scelikok · ‎03-17-2021

Unfortunately no, only deleted by the search head if it disables/rebuilds the acceleration.

You should manually delete the old ones.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

scelikok · ‎03-16-2021

Hi @sarit_s,

DM acceleration summary files are kept in indexers by using guid of the search head that has DM config. If you are starting a fresh Splunk Docker image every time, this guid will change and re-create a new acceleration files.

You should run Splunk by keeping /opt/splunk/etc path persistent on disk. This will prevent changing guid and also new summary files.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

sarit_s · ‎03-16-2021

Thanks!

what about that the old once kept on disk? Shouldnt they be removed once i have new once?

datamodel acceleration doesn't remove old guid

other

troubleshooting

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...