- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Windows installation- retention question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Windows installation- retention question
I have setup a Windows 2008 virtual machine with the latest Splunk version installed. I only have a total of 10 gig on the volume that Splunk is installed. I would like it to roll over (delete) after the database hits approx 8-8.5 gig of data. Is there any easy way to do this? I've looked into the index's and it appears to use the main db and the _internal the most. Do I have to set each of these to 4 GB each or is there another more straight forward way to do this? Or, do I set the maxTotalDataSizeMB to 8000 mb? Any info. would be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maxTotalDataSizeMB would be the total size, per index, so you would need to configure each of your indexes so that the sum of each maxTotalDataSizeMB was less than the amount of storage you wanted to allocate for Splunk's indexes. Depending on how much you are indexing outside of Splunk, it's not likely you will need 4GB for _internal (I have been indexing 15-20GB for nearly 9 months and my _internal index is ~3.5GB).
You may want to consider adding the following to your etc/system/local/indexes.conf
[default]
maxTotalDataSizeMB = 512
[main]
maxTotalDataSizeMB = 5120
There are other settings to play with too, including maxDataSize to control the size of each hot bucket and frozenTimePeriodInSecs to force migration to frozen (ie, purge unless you have a script to handle this) after a set time based retention.
See the documentation for indexes.conf at: http://www.splunk.com/base/Documentation/latest/admin/Indexesconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you changed it in the web interface, it is likely created an indexes.conf in $SPLUNK_HOME\etc\apps\search\local with your settings. I personally hate distributing settings in the application directories so I tend to edit the conf files directly under etc\system\local...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the information. I actually adjusted the "main" index size in the GUI and then restarted the Splunk server. I then checked the index.conf to see if it changed in the file. It did not. Should it reflect the change or if it's changed in the web interface does it store the info. somewhere else? Thanks in advance.
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
