Getting Data In

Index isn't shrinking when configuring Index size

gingerpower121
Explorer

I have the app Splunk_TA_microsoft_ad and I am trying to reduce the storage size of the index "wineventlog" from 50gb to around 15-20gb. I have tried updating the index in the GUI through the indexes page and updating the indexes.conf file and nothing seems to update. I've updated the indexes.conf file below with the config below and restarted splunk service.

/opt/splunk/etc/apps/Splunk_TA_microsoft_ad/local/indexes.conf

My config looks like this:

[wineventlog]
bucketRebuildMemoryHint = 0
compressRawdata = 1
enableDataIntegrityControl = 0
enableOnlineBucketRepair = 1
enableTsidxReduction = 0
maxTotalDataSizeMB = 15360
minHotIdleSecsBeforeForceRoll = 0
rtRouterQueueSize =
rtRouterThreads =
suspendHotRollByDeleteQuery = 0
syncMeta = 1
maxDataSize = 5120

Tags (1)
0 Karma
1 Solution

lguinn2
Legend

Is indexes.conf only defined in one place? When you say "it doesn't update," I assume that you mean that your changes are saved in the file, but that nothing actually changes the size of the index.

I suggest that you check
1. Configuration file precedence - if indexes.conf is defined in multiple places, overlapping definitions are resolved based on the rules of precedence
2. Do you need to restart Splunk? When you manually edit indexes.conf, you need to restart Splunk for the changes to take effect.

View solution in original post

0 Karma

lguinn2
Legend

Is indexes.conf only defined in one place? When you say "it doesn't update," I assume that you mean that your changes are saved in the file, but that nothing actually changes the size of the index.

I suggest that you check
1. Configuration file precedence - if indexes.conf is defined in multiple places, overlapping definitions are resolved based on the rules of precedence
2. Do you need to restart Splunk? When you manually edit indexes.conf, you need to restart Splunk for the changes to take effect.

0 Karma

gingerpower121
Explorer

That was it. Total noob mistake on my part. Didn't realize it was also configured in:

/opt/splunk/etc/system/local/indexes.conf

0 Karma

lguinn2
Legend

Everybody does it. Some of us do it more than once!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...