indexes.conf

linu1988 · ‎11-08-2013

Hello,
I am getting these messages , what is the action upon this? The disk space is not even near half,that shouldn't be the cause. Any guidance will be greatly appreciated.

Thanks

saramamurthy_sp · ‎12-31-2019

Hi

Kindly increase the size under the below parameter and restart the splunk services.

Under the server.conf

[queue]

maxSize

swmishra_splunk · ‎06-26-2019

Kindly, check for which specific indexes and for which bucket directories it is giving the error.

Generally, whenever an index generates too many small tsidx files(more than 25) Splunk is not able to optimize all those files within the specified time period.

Kindly, run the below command against the specific directory to optimize it manually:-

splunk-optimize -d|--directory

Or you can make the below changes in Indexes.conf to fix the issue:-

indexes.conf

[default]
maxConcurrentOptimizes=25
maxRunningProcessGroups=12
processTrackerServiceInterval=0

Please go through the below documentation to have a better understanding of Splunk Optimization.
http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Optimizeindexes

rtadams89 · ‎06-02-2014

Try running the splunk-optimize process manually against that directory: http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Optimizeindexes

Also, make sure you haven't changed the value of maxConcurrentOptimizes in indexes.conf from its default value.

Search peer has the following message: idx=_internal Throttling indexer, too many tsidx files in bucket='dir", is splunk optimizer running?

indexes.conf

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases