Thursday, December 22, 2011

is 'Splunk' eating up your disk space

if you have been using default set of splunk configurations, soon you could also face your entire disk space being filled with splunk's database.....

you can keep a check over that by lowering down its upper-limit over database indices size from several 100s 0f 1000s MBs ((default maxTotalDataSizeMB per index is 500Gigabytes)) to the desired/affordable Size in MBs.

File: /var/ebs/splunk/etc/system/local/indexes.conf
maxTotalDataSizeMB = 3000

managing index size in Splunk is better covered at

