The diskspace remaining=8376 has breached the yellow threshold for filesystems=[/opt/splunk/var/lib/splunk/audit/db]
06-18-2019 14:30:39.377 -0500 WARN DiskMon - MinFreeSpace=5000. The diskspace remaining=8376 is less than 2 x minFreeSpace
In the .../audit dir
only db has data, nothing in colddb etc...
I am not sending them to a frozen path, I was hoping they would roll...
How do I set this to roll or drop after it reaches 2GB?
If you would rather roll data out by time or space limit, that's something for indexes.conf and you can see how to do that here:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Indexer/Configureindexstorage
If you would rather roll data out by time or space limit, that's something for indexes.conf and you can see how to do that here:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Indexer/Configureindexstorage
thanks, cannot believe I did not think of that...
No worries. 🙂
Hi there,
You can change the value of the free disk space that triggers the warning in limits.conf - see the docs link below: