×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
ngc_johnadams
Observer
Member since: ‎05-18-2020
‎07-11-2022
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-18-2020
View All

Re: Splunk 9 & MongoDB compact, now that WiredTige...

by in Splunk Enterprise
‎07-11-2022 10:28 AM
‎07-11-2022 10:28 AM
Makes sense.  I thought the underlying storage engine for the indexes is MongoDB, which is why I was thinking there must be a way to reclaim space. We can wait for data to roll off, but in our case we have a long retention period (1-2yr +), necessary for performing investigations over the past couple of years.  Combined with hardened boxes that generate a lot of log data to begin with.  The two set up a situation where you can get a lot of undesired noise in the indexes before you realize it, and then you're stuck with a storage issue for a couple years while you wait for it to roll off because there is other good data in the index that you do want to retain. There must be a way to clean up what amounts to a "data spill" in your indexes while retaining the good data. The documentation for the 'delete' command indicates it only removes the data from regular searches, leaves references to it in metadata searches, and never reclaims the space.  Is it marking the locations for overwrite?  Will it be used by other data as long as the bucket is still active? Thanks. ... View more

Splunk 9 & MongoDB compact, now that WiredTiger is...

by in Splunk Enterprise
‎07-07-2022 06:28 PM
‎07-07-2022 06:28 PM
Is MongoDB compacting of indexes to save space after data is deleted a built-in option in Splunk 9?  Previous posts indicated it was not possible, and it appeared the reason was due to WiredTiger not being the standard storage engine under the hood.  Now that WiredTiger is required in Splunk 9, is support for 'compact' a standard feature in Splunk 9? Need an elegant/supported way to free up disk space after deleting data. When you realize that something has flooded your indexes and filled up disk space, what's the supported option to get the individual events out of the index and reclaim the disk space without losing the rest of the data in the index that is wanted?   emphasis on reclaiming/freeing the disk space.  Is the only option to let the buckets age out to frozen? Thanks. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-11-2022 05:05 PM