Just configure the
volume definitions in your
indexes.conf on your
indexers and constrain it to be within the maximum size that you can allow and Splunk will automatically delete the oldest events to make room for newer events as necessary.
@woodcock I created these files as they were not there, and restarted. No affect seen:
/opt/splunk/etc/system/local/indexes.conf:maxVolumeDataSizeMB = 10480
/opt/splunk/etc/apps/splunkappinfrastructure/default/indexes.conf:maxVolumeDataSizeMB = 10480
/opt/splunk/etc/apps/splunkappinfrastructure/local/indexes.conf:maxVolumeDataSizeMB = 10480
Not sure. Is it a single tar installation, and standalone installation. This is not an installation of app in splunk enterprise.