Hi,
My Splunk gets bigger and bigger every day.
I'm using only 3-4 modules.
The thing is that every change I'm applying on indexes.conf (Windows install)
doesn't work..
There are 220 gigs for logs but seems that the logs increase to max and don't hold up to the conf settings
I just want to clear old logs when they hit 220 gigs. I don't care at this time about "older" than 220 gigs.
Your help needed.
These are my settings:
# DO NOT EDIT THIS FILE!
################################################################################
# "global" params (not specific to individual indexes)
################################################################################
sync = 0
indexThreads = auto
memPoolMB = auto
defaultDatabase = main
enableRealtimeSearch = true
suppressBannerList =
maxRunningProcessGroups = 8
maxRunningProcessGroupsLowPriority = 1
bucketRebuildMemoryHint = auto
serviceOnlyAsNeeded = true
serviceSubtaskTimingPeriod = 30
maxBucketSizeCacheEntries = 0
processTrackerServiceInterval = 1
hotBucketTimeRefreshInterval = 10
################################################################################
# index specific defaults
################################################################################
maxDataSize = auto_high_volume
maxWarmDBCount = 300
frozenTimePeriodInSecs = 15552000
rotatePeriodInSecs = 60
coldToFrozenScript =
coldToFrozenDir =
compressRawdata = true
maxTotalDataSizeMB = 250000
maxMemMB = 5
maxConcurrentOptimizes = 6
maxHotSpanSecs = 7776000
maxHotIdleSecs = 0
maxHotBuckets = 3
quarantinePastSecs = 25920000
quarantineFutureSecs = 2592000
rawChunkSizeBytes = 131072
minRawFileSyncSecs = disable
assureUTF8 = false
serviceMetaPeriod = 25
partialServiceMetaPeriod = 0
throttleCheckPeriod = 15
syncMeta = true
maxMetaEntries = 1000000
maxBloomBackfillBucketAge = 30d
enableOnlineBucketRepair = true
enableDataIntegrityControl = false
maxTimeUnreplicatedWithAcks = 60
maxTimeUnreplicatedNoAcks = 300
minStreamGroupQueueSize = 2000
warmToColdScript=
tstatsHomePath = volume:_splunk_summaries\$_index_name\datamodel_summary
homePath.maxDataSizeMB = 0
coldPath.maxDataSizeMB = 0
streamingTargetTsidxSyncPeriodMsec = 5000
journalCompression = gzip
enableTsidxReduction = false
tsidxReductionCheckPeriodInSec = 600
timePeriodInSecBeforeTsidxReduction = 604800
#
# By default none of the indexes are replicated.
#
repFactor = 0
[volume:_splunk_summaries]
path = $SPLUNK_DB
################################################################################
# index definitions
################################################################################
[main]
homePath = $SPLUNK_DB\defaultdb\db
coldPath = $SPLUNK_DB\defaultdb\colddb
thawedPath = $SPLUNK_DB\defaultdb\thaweddb
tstatsHomePath = volume:_splunk_summaries\defaultdb\datamodel_summary
maxMemMB = 20
maxConcurrentOptimizes = 6
maxHotIdleSecs = 86400
maxHotBuckets = 10
maxDataSize = auto_high_volume
[history]
homePath = $SPLUNK_DB\historydb\db
coldPath = $SPLUNK_DB\historydb\colddb
thawedPath = $SPLUNK_DB\historydb\thaweddb
tstatsHomePath = volume:_splunk_summaries\historydb\datamodel_summary
maxDataSize = 10
frozenTimePeriodInSecs = 9604800
[summary]
homePath = $SPLUNK_DB\summarydb\db
coldPath = $SPLUNK_DB\summarydb\colddb
thawedPath = $SPLUNK_DB\summarydb\thaweddb
tstatsHomePath = volume:_splunk_summaries\summarydb\datamodel_summary
[_internal]
homePath = $SPLUNK_DB\_internaldb\db
coldPath = $SPLUNK_DB\_internaldb\colddb
thawedPath = $SPLUNK_DB\_internaldb\thaweddb
tstatsHomePath = volume:_splunk_summaries\_internaldb\datamodel_summary
maxDataSize = 1000
maxHotSpanSecs = 432000
frozenTimePeriodInSecs = 2592000
[_audit]
homePath = $SPLUNK_DB\audit\db
coldPath = $SPLUNK_DB\audit\colddb
thawedPath = $SPLUNK_DB\audit\thaweddb
tstatsHomePath = volume:_splunk_summaries\audit\datamodel_summary
[_thefishbucket]
homePath = $SPLUNK_DB\fishbucket\db
coldPath = $SPLUNK_DB\fishbucket\colddb
thawedPath = $SPLUNK_DB\fishbucket\thaweddb
tstatsHomePath = volume:_splunk_summaries\fishbucket\datamodel_summary
maxDataSize = 500
frozenTimePeriodInSecs = 2419200
# this index has been removed in the 4.1 series, but this stanza must be
# preserved to avoid displaying errors for users that have tweaked the index's
# size/etc parameters in local/indexes.conf.
#
[splunklogger]
homePath = $SPLUNK_DB\splunklogger\db
coldPath = $SPLUNK_DB\splunklogger\colddb
thawedPath = $SPLUNK_DB\splunklogger\thaweddb
disabled = true
[_introspection]
homePath = $SPLUNK_DB\_introspection\db
coldPath = $SPLUNK_DB\_introspection\colddb
thawedPath = $SPLUNK_DB\_introspection\thaweddb
maxDataSize = 1024
frozenTimePeriodInSecs = 1209600
... View more