Splunk offers a free version with a 500 MB per day indexing limit, which means you can only add 500 MB amount of new data for indexing per day. This might work for most home users, the only problem is the first time you install Splunk, you might configure it to injest your existing log files which most likely are above 500 MB if you consolidate your logs in a syslog server like I do. In this case, Splunk will stop indexing any data above 500 MB per day. During first time indexing, make sure your existing data or log files are below this limit. If for some reason, you ask Splunk to injest way more than 500 MB of data and you want to start fresh, run the following command to clean up the data –
splunk clean eventdata
You can find the details on Splunk Free on this link.
Here is the series of commands I had to execute to clean up the event data –
[daniel@localhost]$ pwd /opt/splunk/bin [daniel@localhost]$ sudo -H -u splunk ./splunk clean eventdata In order to clean, Splunkd must not be running. [daniel@localhost bin]$ sudo -H -u splunk /opt/splunk/bin/splunk stop Stopping splunkd... Shutting down. Please wait, as this may take a few minutes. .. [ OK ] Stopping splunk helpers... [ OK ] Done. [daniel@localhost bin]$ sudo -H -u splunk ./splunk clean eventdata This action will permanently erase all events from ALL indexes; it cannot be undone. Are you sure you want to continue [y/n]? y Cleaning database _audit. Cleaning database _blocksignature. Cleaning database _internal. Cleaning database _introspection. Cleaning database _thefishbucket. Cleaning database history. Cleaning database main. Cleaning database summary. Disabled database 'splunklogger': will not clean. [daniel@localhost bin]$ sudo -H -u splunk /opt/splunk/bin/splunk start Checking prerequisites... Checking http port : open Checking mgmt port : open Checking appserver port [127.0.0.1:8065]: open Checking kvstore port : open Checking configuration... Done. Checking critical directories... Done Checking indexes... Validated: _audit _blocksignature _internal _introspection _thefishbucket history main summary Done Checking filesystem compatibility... Done Checking conf files for problems... Done All preliminary checks passed. Starting splunk server daemon (splunkd)... Done [ OK ] Waiting for web server at https://127.0.0.1:8000 to be available.. Done If you get stuck, we're here to help. Look for answers here: http://docs.splunk.com The Splunk web interface is at https://localhost:8000