All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk app Windows Infrastructure - kvstore disk saturations

mabonjean
Explorer
‎04-08-2019 02:13 AM

Hi,

I use on my Search Head Cluster (with 80GB of disk space for each SH) the application "Splunk App Windows Infrastructure" that's carrying several kvstores and collections configurations.

Theses KVStore consummed all the disk space. I must disable several scheduled tasks. Mainly all kvstore and lookups updates tasks.

My problem is still here. This app still consummed my disk space and the KVStore doesn't rotate old data.
I won't clean it to prevent losts of valuables datas.

How can I modify / optimize the configuration to stop the high disk consummation ?

Best regards.

Reply

nick405060
Motivator
‎12-31-2019 03:02 PM

The answer is that you likely have both the Exchange and Windows app installed, which is the issue. To me this is something that should be addressed ASAP, it seems like a very serious issue that any Splunk customer that installs both apps gets their disk space blown up (unsure which versions of Splunk this affects):

https://docs.splunk.com/Documentation/MSExchange/4.0.0/DeployMSX/Platformandhardwarerequirements#Do_...

I ran this per @dwaddle:

|  rest splunk_server=local /services/server/introspection/kvstore/collectionstats 
|  fields data 
|  mvexpand data 
|  rename data as _raw 
|  spath 
|  fields - _raw
|  fields ns size storageSize totalIndexSize

And it showed me that the terminal service trackers are the culprits:

splunk_app_microsoft_exchange.tSessions_collection and splunk_app_windows_infrastructure.tSessions_collection

Per @automine, app savedsearches likely have the same name and are using the same collection. You can disable tSessions_Lookup_Update* savedsearches in the apps, or, like the Documentation link says, just uninstall the Windows Infra app.

This is also the same issue:

https://answers.splunk.com/answers/716097/kvstore-mongo-consuming-40gb-space.html

Oh also a local clean of the kvstore should clear it out

0 Karma
Reply

mabonjean
Explorer
‎01-02-2020 12:50 AM

Hi Nick,

Thanks for your reply.

We solve (I expect permanently) my issue with cleaning all local KVStore.

The cause is somes old lookups files (old from months ago) can't be delete by Splunk.
When I clean a local KVstore, the non replicated old lokkup files are replicate after the cleaning.

I'll check you answer and make sur that all is ok with my apps.
I'll make a return after.

Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...