The following config works fine: $ cat /opt/splunk/etc/system/local/indexes.conf [default] maxTotalDataSizeMB=5 maxDataSize=auto_high_volume [main] maxTotalDataSizeMB=3 frozenTimePeriodInSecs=300 maxDataSize=2 maxMemMB=1 maxHotBuckets=3 disabled=false ... View more

I have changed the configuration based on your recommendation. This is the current setting I use:   $ cat /opt/splunk/etc/system/local/indexes.conf [default] maxTotalDataSizeMB=3 [main] maxTotalDataSizeMB=1 frozenTimePeriodInSecs=300 disabled=false     I also modified my queries a little bit: Hopefully this shows the size in MB: index=_* source=* type=Usage idx=* | eval MB=b/1024/1024 | stats sum(MB) by st result: 7.520857810974121, increasing   Number of records: sourcetype=ADMIN_SERVER index="main" | stats count as Records result: 1781, increasing     Size on disk: | dbinspect index="main" | eval MB=sizeOnDiskMB| stats sum(MB) result: 1.84375, increasing   According to my last query, the size of the main index that I use is 1.8MB which is bigger than 1MB that I set in the conf file.   I also checked the Settings > Monitoring Console > Index and volumes. Here I have found interesting reports. As I can see all disk-related data is shown in GB, and I think that my feeding speed and size are not enough big to see changes in the charts. Maybe I need to change my "feeder" to inject more data into the logfile because my small echo "xxx" >> $logfile  command does not send too many bytes to the file that I am monitoring.   But the most interesting thing that I see in the Index Detail: Instance report is this: Retention policies maxTotalDataSizeMB 1  frozenTimePeriodInSecs 300 homePath.maxDataSizeMB 0 coldPath.maxDataSizeMB 0 It seems that my settings is applied.   I see in the report that the main index I use received 2465 events and it has only 1 bucket. So maybe I need to wait a little bit to have 2 buckets and then the increasing of records and disk usage will stop.    I so appreciate your help, your advice helped a lot. If you could suggest to me something else that I could check/configure that would be great.   In the meantime, I will change my feeding bash script to send more data to Splunk.   thx a lot     ... View more

Thx for the response. This is a good idea.  I have dropped my containers and started again from the scratch.   $ docker exec -u splunk -it splunk /bin/bash vi /opt/splunk/etc/system/local/indexes.conf [main] maxTotalDataSizeMB=1 frozenTimePeriodInSecs=300 disabled=false ls -all /opt/splunk/etc/system/local/indexes.conf -rw-rw-r-- 1 splunk splunk 71 Aug 31 14:58 /opt/splunk/etc/system/local/indexes.conf     Then I restarted the Splunk this way:   $ cd /opt/splunk/bin/ $ ./splunk restart Stopping splunkd... Shutting down. Please wait, as this may take a few minutes. ..................................... Stopping splunk helpers... Done. Splunk> Needle. Haystack. Found. Checking prerequisites... Checking http port [8000]: open Checking mgmt port [8089]: open Checking appserver port [127.0.0.1:8065]: open Checking kvstore port [8191]: open Checking configuration... Done. Checking critical directories... Done Checking indexes... Validated: _audit _internal _introspection _metrics _metrics_rollup _telemetry _thefishbucket history main summary Done Checking filesystem compatibility... Done Checking conf files for problems... Done Checking default conf files for edits... Validating installed files against hashes from '/opt/splunk/splunk-8.2.1-ddff1c41e5cf-linux-2.6-x86_64-manifest' All installed files intact. Done All preliminary checks passed. Starting splunk server daemon (splunkd)... Done Waiting for web server at http://127.0.0.1:8000 to be available........ Done If you get stuck, we're here to help. Look for answers here: http://docs.splunk.com The Splunk web interface is at http://splunk:8000     Then I have waited 10 minutes and checked the result. The number of the records is still increasing and the size of the index too. The size of the index based on the query above is 1622.9306640625.     ... View more