This article is an exercise index management of Splunk. A target sample index “system-log” collects Syslog data. Before taking effect reduction, this index has 370MB.
Configure via CLI;
$ splunk edit index system-log -enableTsidxReduction true -timePeriodInSecBeforeTsidxReduction 604800
and then, restart splunkd.
After enabling reduction (and 10mins), this index has about 130MB.
Relating logs;
08-05-2019 11:15:26.196 +0900 INFO DatabaseDirectoryManager - idx=system-log Writing a bucket manifest in hotWarmPath='/opt/splunk/var/lib/splunk/system-log/db', pendingBucketUpdates=0 . Reason='Buckets were rebuilt or tsidx-minified (bucket_count=1).'
...
08-05-2019 11:27:27.566 +0900 INFO DatabaseDirectoryManager - idx=system-log Writing a bucket manifest in hotWarmPath='/opt/splunk/var/lib/splunk/system-log/db', pendingBucketUpdates=0 . Reason='Buckets were rebuilt or tsidx-minified (bucket_count=43).'
08-05-2019 11:27:27.568 +0900 INFO DatabaseDirectoryManager - Finished writing bucket manifest in hotWarmPath=/opt/splunk/var/lib/splunk/system-log/db
Another index (for webserver log) was reduced from 437MB to 172MB.
Summary
name | sourcetype | before (MB) | after (MB) | tsidxWritingLevel |
---|---|---|---|---|
system-log |
syslog |
370 | 130 | 1 |
webserver |
access_combined |
437 | 172 | 1 |
_internal |
splunkd etc. |
3130 | 1850 | 2 |
(Splunk 7.3.1)