Changing path or purging data from /opt/splunk/var...

RVDowning · ‎04-06-2012

My question is related to this one: http://splunk-base.splunk.com/answers/2205/can-i-change-the-path-of-the-dispatch-directory

I am getting the warning message: The minimum free disk space (2000MB) reached for /opt/splunk/var/run/splunk/dispatch

Namely, I am also running into disk space issues with only 1.5 GB remaining in the partition in which /opt/splunk/var/run/splunk/dispatch resides (60% full). I set the indexing path to /splunk/data with 100 GB available and is only 4% full. Can I change the path of the dispatch directory (using splunk 4.3 on Linux)? Perhaps I don't understand the nature of what is in the dispatch directory. Are these just saved searches? Are these temporary intermediate results? Can this data just be removed? Since the data is still there in the large partition presumably data can always be found again.

Thanks!
Rich

jbsplunk · ‎04-06-2012

You don't have the ability to change where search artifacts are stored, they'll always be in this directory. As noted in the post you reference, you may make this directory into a symbolic link where you have more space available.

These aren't just saved searches, they are ad-hoc searches, and it isn't exactly correct to say they are the searches. What is stored in this folder are the search artifacts, and these artifacts make up the search results. Once the artifacts expire because the TTL for a particular job has been reached, the results will be reaped and the folder for that job will be removed. You may delete anything you'd like in this folder, the only effect you'll see on product functionality is that the results of the searches which you remove the the artifacts for will no longer be available.

Changing path or purging data from /opt/splunk/var/run/splunk/dispatch

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms