Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unable to run Security Posture in the Splunk Cloud sandbox with error "The minimum free disk space (2000MB) reached"?

wtaddis
New Member
‎08-08-2016 11:00 AM 
Search not executed: The minimum free disk space (2000MB) reached for /opt/splunk/var/run/splunk/dispatch. user=wtaddis.

Splunk Version
6.3.1511

Splunk Build
8effae892620

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-08-2016 11:31 AM

This could mean that your dispatch folder is "full" which will prevent you from doing any searches. This became full because too many searches we're going on in parallel and you don't have enough room on the file system. You can manually clear these files without any harm, this will just kill the search

Or this means that your opt drive is full. Most likely your coldb is retaining a lot of old files and not moving them to the frozen bucket. Go to /opt/splunk/var/lib/splunk/_internaldb and do a du -sh * and see what is taking up space

You could also go into the config file and decrease the file size needed which will temporarily fix your problem, but you will have the same issue again very quickly. This is in server.conf under the [diskUsage] stanza.. It should be like minFreeSpace =xx

Go look in your db and see what files are taking lots of room and delete some. You should then go to your settings/indexes and set a max size for your cold bucket to prevent this in the future.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-08-2016 12:02 PM

I also want to describe what the dispatch folder does for more clarity..

The dispatch dir will house "artifacts" and these searches will be "cached" in the dispatch directory so you can load up searches faster. I believe the scheduled searches are relative to the timespan of the search, so if you have a long timespan then this will live in the dispatch folder for a longer period of time (Could be days). So to sum it up, if you have a lot of scheduled searches AND they have a big timespan specified, then this will quickly clog up your dispatch folder. So you will need to increase the size, decrease the amount of scheduled searches, decrease the timespan in those scheduled searches or decrease the minimum free disk space

Reply

ppablo
Retired
‎08-09-2016 05:32 PM

Here's an answer from a previous post on this topic for further reading 🙂
https://answers.splunk.com/answers/213571/what-causes-too-many-search-jobs-found-in-the-disp.html#an...

Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-09-2016 06:24 PM

Ahh 2p, that's right!

0 Karma
Reply

wtaddis
New Member
‎08-08-2016 11:41 AM

Thanks. Since this is a Splunk Enterprise Security Workshop located in the Splunk Cloud would the configuration take place in Splunk's infrastrucure.? Thanks again.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-08-2016 12:11 PM

Yes on the indexer

0 Karma
Reply

wtaddis
New Member
‎08-08-2016 11:11 AM

This is for a Splunk Enterprise Security Workshop

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...