Hello,
We have an installation of Splunk with a third party Splunk app which reads W3C log files. This is the third time I've installed this same set up on a different server. The first two installations are working fine, but the third installation has ballooned up in size to 200 GB (The other installations take up significantly less space). Most of the space is taken up by colddb in _internaldb.
Does anyone know why this could happen? I've only uploaded ~50 MB of log files. What could cause the internal index to increase in size by that much?
Note: The only difference with the third installation was that I changed the system time of the server to a September 5th, and then changed it back to current time after a few minutes. I did run a summary script to populate summary indexes when the system time was changed to September 5th.
... View more