Why is disk used in my SEARCH HEAD too high?

muez · ‎02-24-2020

I can check that 80% of my disk is used in my Search Head. How to decrease it and what exactly is taking up space? This SH is not the INDEXER, therefore it does not store incoming data.

dshpritz · ‎02-27-2020

Search heads need space too, for things like search artifacts:

https://docs.splunk.com/Documentation/Splunk/8.0.2/Search/Dispatchdirectoryandsearchartifacts

You should check to see where the disk space is being used, and to make sure that your search head is in fact forwarding events to the index tier.

anmolpatel · ‎02-27-2020

I would check the DMC first to check if the SH if not listed as a IDX
- localhost:8000/en-US/app/splunk_monitoring_console/monitoringconsole_overview

and also review the indexer instance
- localhost:8000/en-US/app/splunk_monitoring_console/index_detail_instance

There could be internal logs that could consume the disk space, so check that you're forwarding those to the IDX's.

Why is disk used in my SEARCH HEAD too high?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Why is disk used in my SEARCH HEAD too high?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem