I could really use anyone's help on this. I read the documentation on this and all that document did was to create more questions for me. Basically I have splunk installed in a single instance environment with the following apps: windows infrastructure, cisco networks, cisco asa, cisco ucs, and emc vnx. I have one C drive with 150gb of total disk space and I would like to allocate 50gb for the OS and 100gb for splunk....how do i go about doing that? I'm currently ingesting 15gb of data a day.
here is my indexes.conf file, could someone please tell me what I have to do so splunk doesn't chew up all of my disk space
"global" params (not specific to individual indexes)
sync = 0
indexThreads = auto
memPoolMB = auto
defaultDatabase = main
enableRealtimeSearch = true
suppressBannerList =
maxRunningProcessGroups = 8
maxRunningProcessGroupsLowPriority = 1
bucketRebuildMemoryHint = auto
serviceOnlyAsNeeded = true
serviceSubtaskTimingPeriod = 30
maxBucketSizeCacheEntries = 0
processTrackerServiceInterval = 1
hotBucketTimeRefreshInterval = 10
index specific defaults
maxDataSize = auto
maxWarmDBCount = 300
frozenTimePeriodInSecs = 188697600
rotatePeriodInSecs = 60
coldToFrozenScript =
coldToFrozenDir =
compressRawdata = true
maxTotalDataSizeMB = 500000
maxMemMB = 5
maxConcurrentOptimizes = 6
maxHotSpanSecs = 7776000
maxHotIdleSecs = 0
maxHotBuckets = 3
quarantinePastSecs = 77760000
quarantineFutureSecs = 2592000
rawChunkSizeBytes = 131072
minRawFileSyncSecs = disable
assureUTF8 = false
serviceMetaPeriod = 25
partialServiceMetaPeriod = 0
throttleCheckPeriod = 15
syncMeta = true
maxMetaEntries = 1000000
maxBloomBackfillBucketAge = 30d
enableOnlineBucketRepair = true
enableDataIntegrityControl = false
maxTimeUnreplicatedWithAcks = 60
maxTimeUnreplicatedNoAcks = 300
minStreamGroupQueueSize = 2000
warmToColdScript=
tstatsHomePath = volume:_splunk_summaries\$_index_name\datamodel_summary
homePath.maxDataSizeMB = 0
coldPath.maxDataSizeMB = 0
streamingTargetTsidxSyncPeriodMsec = 5000
journalCompression = gzip
By default none of the indexes are replicated.
repFactor = 0
[volume:_splunk_summaries]
path = $SPLUNK_DB
index definitions
[main]
homePath = $SPLUNK_DB\defaultdb\db
coldPath = $SPLUNK_DB\defaultdb\colddb
thawedPath = $SPLUNK_DB\defaultdb\thaweddb
tstatsHomePath = volume:_splunk_summaries\defaultdb\datamodel_summary
maxMemMB = 20
maxConcurrentOptimizes = 6
maxHotIdleSecs = 86400
maxHotBuckets = 10
maxDataSize = auto_high_volume
[history]
homePath = $SPLUNK_DB\historydb\db
coldPath = $SPLUNK_DB\historydb\colddb
thawedPath = $SPLUNK_DB\historydb\thaweddb
tstatsHomePath = volume:_splunk_summaries\historydb\datamodel_summary
maxDataSize = 10
frozenTimePeriodInSecs = 604800
[summary]
homePath = $SPLUNK_DB\summarydb\db
coldPath = $SPLUNK_DB\summarydb\colddb
thawedPath = $SPLUNK_DB\summarydb\thaweddb
tstatsHomePath = volume:_splunk_summaries\summarydb\datamodel_summary
[_internal]
homePath = $SPLUNK_DB_internaldb\db
coldPath = $SPLUNK_DB_internaldb\colddb
thawedPath = $SPLUNK_DB_internaldb\thaweddb
tstatsHomePath = volume:_splunk_summaries_internaldb\datamodel_summary
maxDataSize = 1000
maxHotSpanSecs = 432000
frozenTimePeriodInSecs = 2592000
[_audit]
homePath = $SPLUNK_DB\audit\db
coldPath = $SPLUNK_DB\audit\colddb
thawedPath = $SPLUNK_DB\audit\thaweddb
tstatsHomePath = volume:_splunk_summaries\audit\datamodel_summary
[_thefishbucket]
homePath = $SPLUNK_DB\fishbucket\db
coldPath = $SPLUNK_DB\fishbucket\colddb
thawedPath = $SPLUNK_DB\fishbucket\thaweddb
tstatsHomePath = volume:_splunk_summaries\fishbucket\datamodel_summary
maxDataSize = 500
frozenTimePeriodInSecs = 2419200
this index has been removed in the 4.1 series, but this stanza must be
preserved to avoid displaying errors for users that have tweaked the index's
size/etc parameters in local/indexes.conf.
[splunklogger]
homePath = $SPLUNK_DB\splunklogger\db
coldPath = $SPLUNK_DB\splunklogger\colddb
thawedPath = $SPLUNK_DB\splunklogger\thaweddb
disabled = true
[_introspection]
homePath = $SPLUNK_DB_introspection\db
coldPath = $SPLUNK_DB_introspection\colddb
thawedPath = $SPLUNK_DB_introspection\thaweddb
maxDataSize = 1024
frozenTimePeriodInSecs = 1209600
... View more