I am using Splunk 5.0.4 and Splunk for Palo Alto Networks 3.3.1. I have noticed a problem with accumulating tsidstats files. In a related thread it is recommended to upgrade to Spunk 6 and at least Splunk for Palo Alto Networks 4.1 but this is not an option for me today. The same thread says that the files can be manually deleted by stopping splunk and deleting all the pan_* directiores in .../splunk/var/lib/splunk/dsidstats; however it is stated that this will remove historical data from the dashboards. My index that holds pan traffic only goes back 6 months or so. Can I delete all the .tsidx, .tsidx.lock and .merge files older than 6 months and keep the most recent historical data?
↧