- Splunk Answers
- :
- Splunk Premium Solutions
- :
- IT Ops Premium Solutions
- :
- Splunk IT Service Intelligence
- :
- Re: Shrink data in splunk insight for infrastructu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shrink data in splunk insight for infrastructure
How can I shrink or truncate the data in splunk insight for infrastructure?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just configure the volume definitions in your indexes.conf on your indexers and constrain it to be within the maximum size that you can allow and Splunk will automatically delete the oldest events to make room for newer events as necessary.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@woodcock I created these files as they were not there, and restarted. No affect seen:
```
grep maxVolumeDataSizeMB -R /opt/splunk/etc | grep -v README
/opt/splunk/etc/system/local/indexes.conf:maxVolumeDataSizeMB = 10480
/opt/splunk/etc/apps/splunk_app_infrastructure/default/indexes.conf:maxVolumeDataSizeMB = 10480
/opt/splunk/etc/apps/splunk_app_infrastructure/local/indexes.conf:maxVolumeDataSizeMB = 10480
```
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You also need to know the stanza header that is immediately above each setting. Is it [default], or [yourIndexValue] or [someIndexThatIsNotYours]?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure. Is it a single tar installation, and standalone installation. This is not an installation of app in splunk enterprise.
https://docs.splunk.com/Documentation/Infrastructure/1.4.0/Install/InstallOnLinux
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use cribl (https://cribl.io) to trim it on the way in. There are many, many ways, depending on what you mean. Tell the cribl guys that woodcock sent you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not during the ingest. But truncate or cleanup whatever has been collected; logs and metrics data. We have small infrastructure and not much of disks to store all those SII data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It depends on you are doing it. Are you using collectd or what?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it uses collectd. SII by default (or probably only way) uses collectd.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
