I am trying to troubleshoot an issue with a clustered search head restarting itself and came across an error message in the _internal logs that is puzzling. There are about 50 of these type of messages around the time of the Splunk service going down on the search head:
-400 ERROR Archiver - >>> Unable to write due to: No space left on device
I have checked the disk space on the search head and everything is well within limits. I have also checked permissions for the /opt/splunk folder to make sure there is read/write/execute access as non-root.
Does anyone have any idea what this error message means and if so, ideas on how to fix this issue?
↧