Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to troubleshoot why index size on disk suddenly jumped by 2.5TB overnight?

jbrandtelastica
New Member
‎05-09-2016 12:56 PM

On May 4th, the disk space used by our default index jumped from about 400G to about 3TB. This doesn't seem to be related to actual indexing-- we don't index anywhere near 2.5TB a day, and we didn't receive any license alerts.

I have used this search:

index=_internal source=*metrics.log | eval GB=kb/(1024*1024) | search group="per_sourcetype_thruput" | chart sum(GB) by series

...to look at the amount indexed per sourcetype for the days around the 4th, but there isn't any difference between them, and on none of these days did we index anywhere near that much data.

On the 5th, our disk usage returned to its old daily growth rate.

Is there a way to figure out what happened on the 4th, and why our index suddenly consumed so much disk space without warning?

0 Karma
Reply

grijhwani
Motivator
‎05-09-2016 01:48 PM

Search and tabulate the entries by punctuation, and see of there's a spike in any particular pattern.

Tabulate by hour, and look for the start of the increase.

Find the source of the anomaly.

The answer to your question is in the very data itself...

  • One thing to look out for is that you're not doing some weekly rotation and ending up with all the renumbered rotated logs being reindexed. (If you're using log rotation you also need to implement appropriate black/whitelist rules.)
0 Karma
Reply

jbrandtelastica
New Member
‎05-09-2016 01:59 PM

I don't think it's actually stuff being indexed-- looking at the query for license volume doesn't indicate an increase in the amount of data indexed.

Could it be metadata or something?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...