Good Afternoon Everyone, I am an ISSO who just inherited a Splunk environment. I have been leaning heavily on this community and i have received lots of great feed back in regards to different documents. My latest problem is that my dispatch directory is nearing capacity and only has 3 out of 5 GB left so therefore i can't conduct any new searches or get dashboards everything is at a standstill. I am aware i can use a command to clear artifacts from the dispatch directory and I am aware there are ways to allocate more space or re-direct the dispatch directory...but what I am truly worried about is am I going to lose information by clearing the dispatch directory of artifacts? I am concerned about losing security related data or auditable events. is there any one who can break down what exactly a search artifact in Splunk contains? and is it something I need to have on hand for security purposes down the road? I feel if i can show my colleagues what a search artifact is and perhaps why we dont need to worry about deleting it (OR WORRY ) than i can proceed forward... I don't exactly have my organization telling me I need to keep the artifacts but that doesn't mean i shouldn't err on the side of caution. ANY HELP is greatly appreciated. More Info: All we care about is auditing the devices connected to Splunk by way of queries and dashboards. as long as that data is not compromised we are good.
... View more
Good Morning Everyone! I am trying to see what components are in my Splunk environment. I just inherited a system with splunk on it and as far as I know I am on a management server and i am accessing a splunk web client which i presume is the search head.... (that's one component down...i think). I understand Splunk enterprise needs a forwarder...and an indexer and a search head to function correctly...but without knowing what components i have inherited i am not really sure that it is working. also I have done some initial research on an message i received upon barely logging in... "The minimum free disk space (5000MB) reached for /opt/splunk/var/run/splunk/dispatch on an indexer.. ^A)my research has shown me that its possible splunk is forwarding to itself. B) i can remedy the error by editing the .conf file responsible for setting the min. quota c) assess the storage available and allocate more space to said directory. knowing the above options ...what do you think is best in my scenario? again i am super new to this enviornment
... View more