tsidx reduction

August 5, 2019

Splunk

This article is an exercise index management of Splunk. A target sample index “system-log” collects Syslog data. Before taking effect reduction, this index has 370MB.

Configure via CLI;

$ splunk edit index system-log -enableTsidxReduction true -timePeriodInSecBeforeTsidxReduction 604800

and then, restart splunkd.

After enabling reduction (and 10mins), this index has about 130MB.

Relating logs;

08-05-2019 11:15:26.196 +0900 INFO  DatabaseDirectoryManager - idx=system-log Writing a bucket manifest in hotWarmPath='/opt/splunk/var/lib/splunk/system-log/db', pendingBucketUpdates=0 .  Reason='Buckets were rebuilt or tsidx-minified (bucket_count=1).'
...
08-05-2019 11:27:27.566 +0900 INFO  DatabaseDirectoryManager - idx=system-log Writing a bucket manifest in hotWarmPath='/opt/splunk/var/lib/splunk/system-log/db', pendingBucketUpdates=0 .  Reason='Buckets were rebuilt or tsidx-minified (bucket_count=43).'
08-05-2019 11:27:27.568 +0900 INFO  DatabaseDirectoryManager - Finished writing bucket manifest in hotWarmPath=/opt/splunk/var/lib/splunk/system-log/db

Another index (for webserver log) was reduced from 437MB to 172MB.

Summary

name	sourcetype	before (MB)	after (MB)	`tsidxWritingLevel`
`system-log`	`syslog`	370	130	1
`webserver`	`access_combined`	437	172	1
`_internal`	`splunkd` etc.	3130	1850	2

(Splunk 7.3.1)

References

Reduce tsidx disk usage