Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

You are low in disk space on partition "/opt/splunk/var/lib/splunk/audit/db". Indexing has paused. Will resume when free disk space rises above

rameshlpatel
Communicator
‎11-26-2013 01:14 AM

I am getting this message on my indexer and search head.

First i set 5000Mb after getting this error i set this to 2000mb and some days same message seeing .

I want to know what is mean of this ? Where we are using this space in splunk ?

Tags (2)
0 Karma
Reply

lukejadamec
Super Champion
‎11-26-2013 05:25 AM

Check the size of your indexes. If you are using the defaults then check the size of splunk\var\lib\splunk

The message you're getting is saying that the file system that holds splunk\var\lib\splunk is low on disk space.

As gfuente said, when the file system gets low on disk space then all indexing will stop until you correct the problem.

If the problem comes and goes by itself, then that means Splunk is deleting data based on the index retention policies, which temporarily frees up space on the file system.

Reply

lukejadamec
Super Champion
‎11-26-2013 05:52 AM

You should not post your comments as answers - it gets confusing.

0 Karma
Reply

lukejadamec
Super Champion
‎11-26-2013 05:52 AM

If you do not need the _audit index data, then you can delete the db folders found in splunk\var\lib\splunk\\audit\db
The modified date of the db folders is a rough approximation of the age of the data.

You should do a search on the _audit index to see what messages are causing the index to fill up so fast.

index=_audit earliest=-2d | stats count by action

0 Karma
Reply

rameshlpatel
Communicator
‎11-26-2013 05:36 AM

Ok I am seeing that audit index reached to their maximum limit.

Can we clear this index logs ? Is that any harmful ?

0 Karma
Reply

rameshlpatel
Communicator
‎11-26-2013 05:25 AM

First thing thanks for quick response.

But I am seeing that there is enough space avialable in FS upto 100gb.

And all indexed file goes on there specific folder structure. Then why it will affect on this folder ?

My questions is still uncleared : Why we are using this folder structure ? what actually we are storing ?

0 Karma
Reply

gfuente
Motivator
‎11-26-2013 01:37 AM

Hello

This means that you are running out of free space on that FS. Splunk will stop all indexing until that problem is sorted. You should check your indexes size, and the free space available. One solution will be increase the FS size, or change the retention policies to delete old data.

Regards

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...