Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I quickly make some space on the $SPLUNK_DB partition?

mctester
Communicator
‎05-04-2010 06:41 PM

The splunk cold storage file system is 100% full. I'm relatively new to splunk & not sure the proper way to purge.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Mick
Splunk Employee
Splunk Employee
‎05-04-2010 06:42 PM

The easiest way to free up some space is to manually move some directories to an alternate location. If you want to keep the data, make sure you have an archive volume to move it to, if you don't care about the data, you can simply delete it.

As long as you move entire 'buckets' of data you shouldn't run into any trouble. A complete bucket is everything inside a directory with the name format - db_, eg - db_1250709009_1250705372_75

This format tells you the latest event in the bucket (timestamp1), the earliest event (timestamp2), and hence the bucket-span, and finally the ID which was assigned to it on completion. Each bucket ID within an index must be unique. Click here for a more in-depth explanation of how buckets work.

If you want to configure Splunk to manage disk-space itself, then you will want to consider a retirement policy.

View solution in original post

Reply
Solved! Jump to solution

BunnyHop
Contributor
‎05-04-2010 08:42 PM

You can easily move buckets either through attaching a script each buckets or make a pointer to the storage of the cold folder/repository on the indexes.conf.

0 Karma
Reply
Solved! Jump to solution
Solution

Mick
Splunk Employee
Splunk Employee
‎05-04-2010 06:42 PM

The easiest way to free up some space is to manually move some directories to an alternate location. If you want to keep the data, make sure you have an archive volume to move it to, if you don't care about the data, you can simply delete it.

As long as you move entire 'buckets' of data you shouldn't run into any trouble. A complete bucket is everything inside a directory with the name format - db_, eg - db_1250709009_1250705372_75

This format tells you the latest event in the bucket (timestamp1), the earliest event (timestamp2), and hence the bucket-span, and finally the ID which was assigned to it on completion. Each bucket ID within an index must be unique. Click here for a more in-depth explanation of how buckets work.

If you want to configure Splunk to manage disk-space itself, then you will want to consider a retirement policy.

Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎05-04-2010 07:08 PM

Be aware that you should not move buckets while Splunk is online. If Splunk tries to search data within a bucket, it will throw an error and possibly crash.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...