Hi all,
I noticed my Splunk instance wasn't indexing data this afternoon. I looked at the server and one of the disks that hosts some of my indexes was full.
I looked at the individual size of each index on disk and two of them are consuming disk space far in excess of the limits that I have set on the index properties.
Index : wineventlog
Max size: 200 GB
Max bucket size: 10000 MB
Current Size: 199.25 GB
Size of index on disk: 430 GB
Index : windows
Max size: 200 GB
Max bucket size: 10000 MB
Current Size: 75.65 GB
Size of index on disk: 231 GB
As a temporary fix I've increased the size of the VHD (the instance is virtualized) but ideally I'd like to reduce the size of the data on disk. Any pointers on how I should tackle this?
Thanks
Gary
↧