Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to clean stash_new files from the spool directory

OldManEd
Builder
‎02-20-2014 07:18 AM

All, my /opt/splunk/var/spool/splunk directory has 83,000 plus "*.stash_new" files in it and I would like to clear them out. I have seen references to this issue but no real solutions. If anyone has figured out how to accomplish this, can you please pass along the procedure?

I've noticed that the files go back to March of last year. Does anyone know the implications of simply deleting these real old files?

Thanks in advance.

UPDATE: I was troubleshooting another issue on this splunk instance that required a splunk restart. After the restart I noticed in the splunkd.log file that splunk was going through all 83,000 files trying to reread them, and failing. I understand that rereading the stash_new files in the spool directory at start up is normal splunk processing. Now I understand why I did not notice any current missing data.

So I'm back to the consequences of simply deleting the old stash_new files. Does anyone have experience with that?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎02-20-2014 10:48 AM

They are the files created for the summary indexing, and should have been deleted once indexed.

Look like you encountered the error described here :http://answers.splunk.com/answers/70072/summary-indexing-blocked-and-binary-file-warning

please upgrade to 5.0.3 or more recent, and verify that no new files get stuck in the folder (they should stay there only a few minutes)

About the old files, they are old summary reports.

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎02-20-2014 10:48 AM

They are the files created for the summary indexing, and should have been deleted once indexed.

Look like you encountered the error described here :http://answers.splunk.com/answers/70072/summary-indexing-blocked-and-binary-file-warning

please upgrade to 5.0.3 or more recent, and verify that no new files get stuck in the folder (they should stay there only a few minutes)

About the old files, they are old summary reports.

Reply
Solved! Jump to solution

OldManEd
Builder
‎02-20-2014 11:17 AM

Yannj,
Thanks for the update. We just ran an upgrade to 5.0.5 on Saturday, 5 days ago. And the last file was from 02/15, when we updated. I just wanted to make sure that if I delete the old files something else won't blow up.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...