Splunk Search

Command to free disk space

erlindemberg
Explorer

My instance of Splunk currently has 9.4 TB of disk for indexing. We have 360GB per day being indexed and I can't increase the disk size to support this daily indexing.
I need to clean up indexed events from January 2019 through July 2019.

Can someone tell me how to do it and which command to use?

Tags (1)
0 Karma
1 Solution

alonsocaio
Contributor

I would suggest you to read about archiving, this could be a better way to safely free some disk space, not losing permanently all data you have indexed before: https://docs.splunk.com/Documentation/Splunk/7.3.1/Indexer/Setaretirementandarchivingpolicy

Using a correct archiving and retirement policy can help you to remove or backup old indexed data, since you can choose to archive frozen buckets or to remove them. You just need to set when you want a bucket to turn to frozen.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If the size of your disk is a limiting factor then your indexes' retention should be based on size rather than time. Put your indexes in a volume and limit the size of the volume to the size of the disk minus 10-15%. As space grows tight, older buckets will be deleted to make room for new ones.

---
If this reply helps you, Karma would be appreciated.
0 Karma

alonsocaio
Contributor

I would suggest you to read about archiving, this could be a better way to safely free some disk space, not losing permanently all data you have indexed before: https://docs.splunk.com/Documentation/Splunk/7.3.1/Indexer/Setaretirementandarchivingpolicy

Using a correct archiving and retirement policy can help you to remove or backup old indexed data, since you can choose to archive frozen buckets or to remove them. You just need to set when you want a bucket to turn to frozen.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm tempted to down-vote this answer. The splunk clean command deletes the entire index, something the OP doesn't want.

---
If this reply helps you, Karma would be appreciated.
0 Karma

alonsocaio
Contributor

I removed the splunk clean command from my answer, thanks for the advice.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...