It looks like Splunk for Palo Alto Networks is using tscollect commands to create dashboards, and the files associated with these commands are stored in /opt/splunk/var/lib/splunk/tsidxstats. They seem to be growing uncontrollably and filling our server. (Hot / cold buckets are configured on a separate set of filesystems, with tsidx files, but these appear to be something different.)
Hi,
You're correct about the file origin.
If you grab the Splunk App for Netapp it includes SA-Utils, which contains handling for tsidx retention. configurable with tsidx_retention.conf.