Solved: Re: How to delete raw data files?

stwong · ‎12-28-2015

Hi all,

We encounter Splunk server running out of disk space issue in past months. I tried to reduce maxTotalDataSizeMB and frozenTimePeriodInSecs from time to time for squeezing disk space. Currently it looks like the following:

------------ cut here ---------------
[main]

maxTotalDataSizeMB = 20000
coldToFrozenDir = /usr/local/splunk/var/frozen/main
frozenTimePeriodInSecs = 864000

[p0f]
maxTotalDataSizeMB = 20000
coldToFrozenDir = /usr/local/splunk/var/frozen/p0f
frozenTimePeriodInSecs = 432000

------------ cut here ---------------

Seems default of frozen data processing is to delete them. However, raw data is still there and eats up a lot of disk space, e.g. in /usr/local/splunk/var/frozen/p0f for the p0f index, there are log of db_* folders:

ls -l db_1415393077_1415384845_1994/rawdata/
total 112132
-rw-------. 1 splunk splunk 114815328 Nov  8  2014 journal.gz

I daren’t deleting them manually.

Would anyone please help? Sorry for the newbie question.

Thanks and regards
/ST Wong

renjith_nair · ‎12-28-2015

If you set the coldToFrozenDir attribute in indexes.conf, the indexer will automatically copy frozen buckets to the specified location before erasing the data from the index. So the data still resides on the location you specified on the disk.

If you don't specify either of these attributes(coldToFrozenDir or coldToFrozenScript), the indexer runs a default script that simply writes the name of the bucket being erased to the log file $SPLUNK_HOME/var/log/splunk/splunkd_stdout.log. It then erases the bucket.

Reference : http://docs.splunk.com/Documentation/Splunk/6.3.1511/Indexer/Automatearchiving

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎12-28-2015

If you set the coldToFrozenDir attribute in indexes.conf, the indexer will automatically copy frozen buckets to the specified location before erasing the data from the index. So the data still resides on the location you specified on the disk.

If you don't specify either of these attributes(coldToFrozenDir or coldToFrozenScript), the indexer runs a default script that simply writes the name of the bucket being erased to the log file $SPLUNK_HOME/var/log/splunk/splunkd_stdout.log. It then erases the bucket.

Reference : http://docs.splunk.com/Documentation/Splunk/6.3.1511/Indexer/Automatearchiving

---
What goes around comes around. If it helps, hit it with Karma 🙂

renjith_nair · ‎12-28-2015

Please accept this as answer if you are happy so that question will be closed and might be useful for others.

---
What goes around comes around. If it helps, hit it with Karma 🙂

richgalloway · ‎12-28-2015

Yes, the default action is to delete frozen data. However, by specifying a value for coldToFrozenDir you have changed the default behaviour so Splunk will retain frozen data. Remove that attribute, restart splunkd and the frozen data will be deleted.

---
If this reply helps you, Karma would be appreciated.

stwong · ‎12-28-2015

Hi all,

Thanks for your help. It works.

Best Regards

ppablo · ‎01-05-2016

Hi @stwong

Please be sure to resolve your posts by clicking Accept directly below the answer that best answered your question. That will make this post easier to find for other users with the same/similar question.

stwong · ‎01-05-2016

Noted and thanks. Seems can only accept the "best" one even I find all the replies are helpful...
Thanks for your reminder.

How to delete raw data files?

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!