https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288096#M10936 <P>Splunk 6.6.3, clustered env. One of our indexers reporting high disk usage. Traced it down to <CODE>/opt/splunk/var/run/splunk/cluster/search-buckets</CODE> containing many <CODE>search_sitedefault_gen*.csv.gz</CODE> and <CODE>summarize_sitedefault_gen*.csv.gz</CODE> files going back to 22 days ago (December 12 at this time). I deleted older ones to stop triggering our disk use alerts.</P> <P>Whats creating these files and why?</P> Thu, 31 Mar 2022 13:16:16 GMT richarddicaire 2022-03-31T13:16:16Z https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288096#M10936 <P>Splunk 6.6.3, clustered env. One of our indexers reporting high disk usage. Traced it down to <CODE>/opt/splunk/var/run/splunk/cluster/search-buckets</CODE> containing many <CODE>search_sitedefault_gen*.csv.gz</CODE> and <CODE>summarize_sitedefault_gen*.csv.gz</CODE> files going back to 22 days ago (December 12 at this time). I deleted older ones to stop triggering our disk use alerts.</P> <P>Whats creating these files and why?</P> Thu, 31 Mar 2022 13:16:16 GMT https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288096#M10936 richarddicaire 2022-03-31T13:16:16Z https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288097#M10937 <P>We're now seeing additional indexers having disk usage issues from the above, can anyone shed any light?</P> Fri, 05 Jan 2018 15:33:46 GMT https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288097#M10937 richarddicaire 2018-01-05T15:33:46Z https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288098#M10938 <P>We had recently a similar but different path issue at <A href="https://answers.splunk.com/answers/592064/why-does-optsplunkvarrunsearchpeers-fill-up.html">Why does /opt/splunk/var/run/searchpeers fill up?</A></P> Fri, 05 Jan 2018 16:35:42 GMT https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288098#M10938 ddrillic 2018-01-05T16:35:42Z https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288099#M10939 <P>@ddrillic thanks for responding but not related. I need to know what is creating the above files in /opt/splunk/var/run/splunk/cluster/search-buckets. I just had to delete files from all of my indexers to have available space. Never had to do this before our upgrade to 6.6.3.</P> Fri, 05 Jan 2018 16:44:58 GMT https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288099#M10939 richarddicaire 2018-01-05T16:44:58Z https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288100#M10940 <P>Hi, can anyone provide input as to what is creating <CODE>search_sitedefault_gen*.csv.gz</CODE> and <CODE>summarize_sitedefault_gen*.csv.gz</CODE> files in <CODE>/opt/splunk/var/run/splunk/cluster/search-buckets</CODE>?</P> <P>Thanks</P> Mon, 08 Jan 2018 16:40:09 GMT https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288100#M10940 richarddicaire 2018-01-08T16:40:09Z https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288101#M10941 <P>Same issue here on v6.6.5. Did you ever find anything out?</P> Mon, 25 Jun 2018 21:34:59 GMT https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288101#M10941 masonmorales 2018-06-25T21:34:59Z https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288102#M10942 <P>You have a lot of traffic for your deployment. Increase disk space.</P> Sat, 26 Jan 2019 03:12:51 GMT https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288102#M10942 davpx 2019-01-26T03:12:51Z https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288103#M10943 <P>This is NOT a helpful answer and does not explain why there are so many of these files in this directory path. There apparently is no documentation from Splunk on this. I am opening a case as I suggest everyone else having this does the same. </P> Mon, 25 Feb 2019 15:30:26 GMT https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288103#M10943 BainM 2019-02-25T15:30:26Z https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288104#M10944 <P>This was a combination of two bugs that were fixed in later versions of splunk (7.0.8+, 7.1.6+, 7.2.4+)</P> <P>For a workaround, its safe to</P> <UL> <LI>delete older generation files, keeping the last 10 or so per site</LI> <LI>don't delete the gen0 file</LI> </UL> <P>for example, if i have:<BR /> search_sitedefault_gen1000.csv.gz as the latest file, i can delete search_sitedefault_gen(1-990).csv.gz safely</P> <P>but remember this is per site, so if i have the latest:</P> <P>search_site0_gen1000.csv.gz (delete gen1-990 for site0, dont delete gen0)<BR /> search_site1_gen3500.csv.gz (delete gen1-3490 for site1, dont delete gen0)</P> Tue, 29 Sep 2020 23:33:21 GMT https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288104#M10944 dxu_splunk 2020-09-29T23:33:21Z https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288105#M10945 <P>Hi dxu,</P> <P>Is there a workaround for the same?</P> <P>Thanks,<BR /> Santhosh</P> Thu, 10 Oct 2019 05:16:04 GMT https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288105#M10945 santu27487kanna 2019-10-10T05:16:04Z https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288106#M10946 <P>FWIW and I know it's not ideal but a rolling restart of the cluster peers will clear these down. I'm on 7.1.5.</P> Tue, 05 Nov 2019 10:35:18 GMT https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288106#M10946 stepheneardley 2019-11-05T10:35:18Z https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288107#M10947 <P>Thank you stepheneardley.</P> Tue, 05 Nov 2019 10:43:00 GMT https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288107#M10947 santu27487kanna 2019-11-05T10:43:00Z https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288108#M10948 <P>What is the purpose of the file?<BR /> And do you know if there is a cycle or setting method to delete automatically?</P> Tue, 07 Jan 2020 23:56:41 GMT https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/288108#M10948 jk01571 2020-01-07T23:56:41Z https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/591646#M25479 <P>Anyone else facing same issues in 8.2.4. Will check with support and see.</P> Thu, 31 Mar 2022 01:33:40 GMT https://community.splunk.com/t5/Deployment-Architecture/Why-is-opt-splunk-var-run-splunk-cluster-search-buckets-filling/m-p/591646#M25479 Sahr_Lebbie 2022-03-31T01:33:40Z