It looks like Splunk for Palo Alto Networks is using tscollect commands to create dashboards, and the files associated with these commands are stored in /opt/splunk/var/lib/splunk/tsidxstats. They seem to be growing uncontrollably and filling our server. (Hot / cold buckets are configured on a separate set of filesystems, with tsidx files, but these appear to be something different.)
- Am I right about the origin of these files?
- Is there a way to limit the growth of these files?
- Can these files be manually removed, say, with a cron job that removes anything more than X months old? If so, how long should they be kept?