Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why real-time alerts can lead to insufficient disk space on a device and cause splunkweb to not start?

Michael
Contributor
‎09-10-2014 05:44 AM

Sharing a lesson learned...
Splunk 6.1.3 (but I think would apply to most) on RHEL 6.

I came in one morning to being unable to log into Splunk, and the web interface producing an error indicating that the drive was full. Upon checking the space, there was plenty, over 30 gigs. I have had it stop indexing once when it reached the 2 gig mark, as designed, but never saw this -- that did not prevent the web interface from working.

Reply
1 Solution
Solved! Jump to solution
Solution

Michael
Contributor
‎09-10-2014 07:00 AM

hmm, forgot to "answer" this so it would be closed. Tks Rich,

Cheers!

Long story short, I had the previous day created an alert to fire off in "real time". Be very careful with these! Overnight, the alert fired off, but I had set the criteria up wrong, so it fired off over 10,000 times. The space that was filled up were the inodes. This can be checked with 'ls -i'. The place that fills up is in ../splunk/var/run/splunk/dispatch/ -- I removed all the alerts in this directory and went happily about my business -- oh, and removing that offending alert.

View solution in original post

Reply
Solved! Jump to solution
Solution

Michael
Contributor
‎09-10-2014 07:00 AM

hmm, forgot to "answer" this so it would be closed. Tks Rich,

Cheers!

Long story short, I had the previous day created an alert to fire off in "real time". Be very careful with these! Overnight, the alert fired off, but I had set the criteria up wrong, so it fired off over 10,000 times. The space that was filled up were the inodes. This can be checked with 'ls -i'. The place that fills up is in ../splunk/var/run/splunk/dispatch/ -- I removed all the alerts in this directory and went happily about my business -- oh, and removing that offending alert.

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎09-11-2014 04:40 PM

realtime/alltime alert searches are like a loaded gun, handle with care.

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎09-10-2014 10:52 AM

Hi @Michael

I just moved your content around to the appropriate spaces and also accepted the answer for you so this post will get more hits. Thanks for sharing this 🙂 very helpful.

Patrick

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-10-2014 06:20 AM

Thanks for sharing, Michael. For the benefit of users searching for similar problems in future, answer this question and accept the answer. That will mark this as a solution.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...