Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why would my audit index grow to over 300g suddenly?

MikeBertelsen
Communicator
‎06-07-2018 10:28 AM

Why would my audit index grow to over 300g suddenly?
This happened on the SH. The _audit index normally sits at about 80 mb. So to get an alert that I was nearly out of storage for Splunkhome was a surprise.
For immediate impact I altered the size of the index to 500m, let the storage clearup, and reset the storage to allow up to 10g.

0 Karma
Reply

jowenssi
Path Finder
‎06-07-2018 10:40 AM

Unless there is a misconfigured input feeding the audit index, the easiest answer is that there seem to be a large amount of changes in your environment. The DIY solution would be to search the audit index to identify what changes are occurring. These could be a script making changes to the Splunk files on disk, or a large/excess amount of activity. Here's a list of all of the activities that would cause an entry in the audit index: https://docs.splunk.com/Documentation/Splunk/7.1.1/Security/AuditSplunkactivity

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎06-07-2018 10:39 AM

Well, with the data already gone, it might be difficult to determine the cause.
However - if it still grows fast now, you could simply take a look at what kind of messages appear very frequently, e.g. using the Pattern tab.
This would most likely give you an idea why this has happened.
Also - is this a personal instance, or a corporate one? Production, dev or test? Available from the internet, or LAN only?

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...