How do I configure and enforce a 6 month data retention policy?
Hello, I am trying to configure a 6 month data retention policy in which data has to be deleted from an index 180 days after it has been indexed. Since buckets are defined based on the _time attribute...
View ArticleChange in Database causes FlowReceiver to stop?
I have run into the common problem of running out of disk space (less than 5000 mb error). To fix this, I've attached a 10+Tb drive by changing $SPLUNK_DB within my splunk-start.conf file. I've also...
View ArticleSet-up itsi_summary in indexes.conf to be on fast and also on slow disk
Hi All, I have one question about ITSI indexes. Our Splunk Indexer has 1 disk “fast” and 1 disk “slow” with more capacity (it is not that slow but performance are lower than the fast one). On the...
View Articleindexes.conf in both /system/local and /slave_apps/_cluster/local in a...
Hello, We have few indexers which are in clustered environment but i see there is indexes.conf in both /system/local and /slave_apps/_cluster?local where the cluster master is pushing the...
View ArticleIndexes.conf question
Hey All, I have a question surrounding the best way to deploy the indexes.conf in our environment. We currently have our indexes.conf deployed to our indexers, heavy forwarders, and ES. We deploy to...
View ArticleIndex buckets configuration using time
Hello, dear ninjas! I need to configure my indexes to store data in bucket using time periods. For example: Index - Test Hot/warm buckets have to store data for 60 days then move it to cold buckets...
View ArticleRemove data after moving index location
I just moved my homePath and coldPath to a new location, and wanted to delete the data stored on Splunk's default index location ($SPLUNK_DB). I would leave it, but it's using the bulk of that...
View ArticleWhy is coldPath.maxDataSizeMB taking precedence and growing until parameter...
I have the following configuration for an index extracted by using btool: /opt/splunk/etc/system/local/indexes.conf coldPath.maxDataSizeMB = 1843200 /opt/splunk/etc/system/local/indexes.conf...
View ArticleDuplicate index stanza in indexes.conf in a clustered environment
Hello Splunkers, I have an indexes.conf file where i have a duplicate index stanza. If i remove one of them will it impact anything? Below is my duplicate stanza. I will probably remove top one if...
View ArticleDeploy indexes.conf in a Search Head Cluster? How to avoid (and recover in...
We have a Search Head Cluster connected to an Indexer Cluster. All indexes are on the clustered Indexers, and the Search Head Cluster members forward their local internal indexes to the Indexers. Is it...
View ArticleVolume configuration will not manage space used by this index
We recently upgraded from 7.2.1 to 7.3.3 and from the `_internal` logs I can see that these new warnings are showing up across my indexer cluster. What is it saying and how do I go about fixing this?...
View ArticleWhat's the best strategy for volume tags when indexers have different number...
I have a large index cluster with bare metal machines that have different hardware configurations. The number of SDD's, their size, and performance specs differ across the indexers. So what is the best...
View ArticleSetting up indexes.conf
Hi, I am setting indexes.conf file where I am going to fix homepath and coldpah sizes. for ex.- [myindex] homePath = FASTDISK:\splunk\myindex\db coldPath = SLOWDISK:\splunk\myindex\colddb thawedPath =...
View Articleindexes.conf sanity question.
I wanted to ask here before making this change, for just another set of eyes. Issue. We have /hot and /cold both with equal amounts of storage, with no difference between the storage speed on either...
View ArticleSplunk Indexes question
Hi, 1) I want to move my hot/warm bucket to cold after 90 days, is it possible to roll buckets based on time duration or only can roll volume based? Want to keep Hot and Warm for 90 days as i am using...
View ArticlemalformedEventIndex, how to troubleshoot and fix logs ending up here
Hello all, I created a malformedEventIndex ( `malformedevent`), per inputs.conf. I see 400 million+/day from thousands of hosts going to this index from my syslog servers (have a HF that sends to...
View ArticleI cant understand the buckets segrigation in Indexes.conf
Question 1: In my org have Splunk ES 7.2.X with 4 VMs(win os) i.e., 1 Search Head, 1 Deployment server, 2 Indexers ***Search Head:*** In search head we installed **Splunk Add-on for Amazon Web...
View ArticleBucket rotation and retention
Hi all, i'm here to ask you some information about a current setting i found on an existing Splunk Index. In particular, this is the indexes.conf stanza related to the index A: *[A] homePath =...
View ArticleData Archiving and Retirement
I am trying to configure a new instance of splunk, my requirements for data retention are: Searchable 14 days Archive 5 years I have configured the indexes.conf as below for my index: coldtofrozendir =...
View ArticleIs it possible to use SmartStore with a standalone docker installation?
Is it possible to use SmartStore with a standalone docker installation? I have been trying to set it up by specifying all my settings in the `indexes.conf` file. It works the first time, but when I...
View Article