Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to clean stash_new files from the spool directory

OldManEd
Builder
‎02-20-2014 07:18 AM

All, my /opt/splunk/var/spool/splunk directory has 83,000 plus "*.stash_new" files in it and I would like to clear them out. I have seen references to this issue but no real solutions. If anyone has figured out how to accomplish this, can you please pass along the procedure?

I've noticed that the files go back to March of last year. Does anyone know the implications of simply deleting these real old files?

Thanks in advance.

UPDATE: I was troubleshooting another issue on this splunk instance that required a splunk restart. After the restart I noticed in the splunkd.log file that splunk was going through all 83,000 files trying to reread them, and failing. I understand that rereading the stash_new files in the spool directory at start up is normal splunk processing. Now I understand why I did not notice any current missing data.

So I'm back to the consequences of simply deleting the old stash_new files. Does anyone have experience with that?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎02-20-2014 10:48 AM

They are the files created for the summary indexing, and should have been deleted once indexed.

Look like you encountered the error described here :http://answers.splunk.com/answers/70072/summary-indexing-blocked-and-binary-file-warning

please upgrade to 5.0.3 or more recent, and verify that no new files get stuck in the folder (they should stay there only a few minutes)

About the old files, they are old summary reports.

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎02-20-2014 10:48 AM

They are the files created for the summary indexing, and should have been deleted once indexed.

Look like you encountered the error described here :http://answers.splunk.com/answers/70072/summary-indexing-blocked-and-binary-file-warning

please upgrade to 5.0.3 or more recent, and verify that no new files get stuck in the folder (they should stay there only a few minutes)

About the old files, they are old summary reports.

Reply
Solved! Jump to solution

OldManEd
Builder
‎02-20-2014 11:17 AM

Yannj,
Thanks for the update. We just ran an upgrade to 5.0.5 on Saturday, 5 days ago. And the last file was from 02/15, when we updated. I just wanted to make sure that if I delete the old files something else won't blow up.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...