I have 2 search heads that are very similar but one has some extra apps installed (such as SoS). The one with more apps is continuously out of disk space and I just found out why. On the search head that is fine, /opt/splunk/var/lib/splunk has 531M used but on the loaded one, it has 35G!!! What is taking up all the space? Many directory pairs like this <appname> and <appname>.dat. Inside each <appname> directory are 3 directories: "colddb", "db", and "thaweddb". The "db" directories are where all the space is consumed. What is creating these and how can I rein it in?
↧