- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to control splunk logs splunkd_stderr.log & sp...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to control splunk logs splunkd_stderr.log & splunkd-utility.log filling up disk space
Hi,
I have installed Splunk having very limited space. I am able to manage other logs my modifying /etc/log.cfg file.
However, do not find any parameter to rotate/control splunkd_stderr.log & splunkd-utility.log.
Do we have any separate parameter/file to manage these Splunk logs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For this specific index you can allocate (a lot) less than the 1/2 terabyte assigned, by default, for each index.
To begin with, you can run the following to know how much each index consumes -
| rest /services/data/indexes
| eval perc=(currentDBSizeMB * 100 / maxTotalDataSizeMB )
| table title currentDBSizeMB maxTotalDataSizeMB perc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I downvoted this post because this is a completely irrelevant answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh oh - really sorry ; -) but truly it's really relevant.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree. What is the point of decreasing the size of the log files if they are all indexed with a max size of 1/2 TB anyway?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
As you mentioned most logs can be controlled from /etc/log.cfg, however there are some logs such as splunkd_stderr.log that are effectively "hard coded" and cannot be changed. However, it was suggested that you could use a symbolic link to move the files to your preferred location.
Best Regards,
BPitts2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you,
As last solution will write script or create symbolic link.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like we can manage splunkd-utility.log by changing parameter in log-utility.cfg.
Any how its 5 MB and will limit to 1 rotation than 5.
appender.A1.fileName=${SPLUNK_HOME}/var/log/splunk/splunkd-utility.log
appender.A1.maxFileSize=5000000 # default: 5MB (specified in bytes).
appender.A1.maxBackupIndex=5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good to know, thanks!
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
