Topics

| pdf version

Welcome

What to do first

Start Splunk

Meet Splunk Web and Splunk Apps

Before you configure

Add data and configure inputs

Indexing and event processing

Timestamps

Add and manage users

Manage indexes

Define alerts

Set up backups and retention policies

Configure data security

Set up forwarding and receiving

Deploy to other Splunk instances

Set up distributed search

Manage search jobs

Use Splunk's command line interface (CLI)

Configuration file reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Set limits on disk usage

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6

Set limits on disk usage

There are several methods for controlling disk space used by Splunk. Most disk space will be used by Splunk's indexes and compressed log files (collectively called the database). If you run out of disk space, Splunk will stop indexing. You can set a minimum free space limit to control how low you will let free disk space fall before indexing stops. Indexing will resume once you space exceeds the minimum.

Set minimum free disk space

Use settings in Splunk Web to set a minimum amount of disk space to keep free on on the disk where indexed data is stored. If the limit is reached, the server stops indexing data until more space is available.

Note:

  • The Splunk server will not clear any of its own disk space under this method. It will simply wait for more space to become available.
  • Some events may be lost if they are not written to a file during the paused period.

In Splunk Web

  • Click Manager in the upper right corner of Splunk Web.
  • Click System settings.
  • Under the Index settings section, find Pause indexing if free disk space (in MB) falls below::

Image:Disk_settings.jpg

  • Enter your desired minimum free disk space in megabytes.
  • Click Save.

Restart Splunk for your changes to take effect.

From the Command line interface (CLI)

You can set the minimum free megabytes via Splunk's CLI. To use the CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command.

# splunk set minfreemb 20000 # set minfree to 20GB

# splunk restart

Set database size

Controls for indexes are in indexes.conf. You can control disk storage usage by controlling total index size, age of data in the database, and aging policy. When one of these limits is reached, data will be removed. You can archive the data using one of Splunk's predefined archive scripts or create your own. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work. Do not edit the copy in default.

Set the following indexes.conf: 

maxTotalDataSizeMB = (500000)
* The maximum size of an index. If an index grows bigger than this the oldest data is frozen out.
and set it to it new value (in megabytes)

Example: 

[main]
maxTotalDataSizeMB = 2500000

Restart Splunk for your changes to take effect. It may take some time, up to 30 or 40 minutes, for Splunk to move events out of the index to conform to the new policy, during which you may see high CPU usage.

Retrieved from "http://www.splunk.com/base/Documentation/4.0.6/Admin/Setlimitsondiskusage"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.