https://community.splunk.com/t5/Getting-Data-In/Indexer-s-SPLUNK-HOME-var-run-searchpeers-excessive-disk-usage/m-p/313171#M58698 <P>If you are seeing this problem it is likely that you are hitting bug <CODE>SPL-140831</CODE> "Splunk not cleaning up $SPLUNK_HOME/var/run/searchpeers of .delta files and matching directories whose only non-empty subdirectory has the .index extension". This bug affects 6.5.x+ and will be fixed in 6.5.6+ and 6.6.3+</P> <P>The issue is that the bundle reaper deletes the bundle directory but lookup file indexing recreates it and the .delta bundle files don't get reaped after that. The bundle files will start accumulating on the indexer in $SPLUNK_HOME/var/run/searchpeers/ and can eventually fill up the disk.</P> <P>To work around the issue increase <CODE>max_memtable_bytes</CODE> on the indexers <CODE>limits.conf</CODE> to be greater than the largest lookup .csv file in a given .bundle file in /var/run/searchpeers.</P> <P>on indexers:<BR /> $SPLUNK_HOME/etc/system/local/limits.conf</P> <P>max_memtable_bytes = <BR /> * Maximum size, in bytes, of static lookup file to use an in-memory index for.<BR /> * Lookup files with size above max_memtable_bytes will be indexed on disk<BR /> * A large value results in loading large lookup files in memory leading to bigger <BR /> process memory footprint.<BR /> * Caution must be exercised when setting this parameter to arbitrarily high values!<BR /> * Default: 10000000 (10MB)</P> <P>This change requires a restart of the indexers</P> <P>If you have lookup .csv files larger than 10MB they will be indexed to disk on the indexer. Increasing from the default 10MB to a value larger than your largest lookup file will cause the file to be loaded into memory for the period a search process is using that lookup. If you do not need to send the lookup file in the bundle you can blacklist it via distsearch.conf on the search heads <A href="https://docs.splunk.com/Documentation/Splunk/6.6.2/DistSearch/Limittheknowledgebundlesize" target="_blank">https://docs.splunk.com/Documentation/Splunk/6.6.2/DistSearch/Limittheknowledgebundlesize</A><BR /> Lookup files are required to be sent to the indexer if you are using automatic lookups (<A href="https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Knowledge/Makeyourlookupautomatic" target="_blank">https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Knowledge/Makeyourlookupautomatic</A>)<BR /> or if you have data model accelerations enabled which are referencing the lookup in the DMA search.</P> <P>How do I know if my DMA search is referencing a lookup ?</P> <P>run the following search and you will see the search the data model acceleration is using and if the search contains a lookup reference:</P> <P><CODE>| rest splunk_server=local /services/datamodel/acceleration| fields title search | eval contains_lookup=if(like(search, "%lookup%"),1,0) | eval contains_lookup=case(contains_lookup=1,"yes",contains_lookup=0,"no")| table title search contains_lookup | search contains_lookup=yes</CODE></P> <P>Note: this search does not cover automatic lookups or lookups that might be referenced via a macro </P> <P>If you see a lookup reference in the search, you need to send that lookup to the indexers in the knowledge bundle so don't blacklist it.</P> Tue, 29 Sep 2020 14:55:01 GMT rphillips_splk 2020-09-29T14:55:01Z https://community.splunk.com/t5/Getting-Data-In/Indexer-s-SPLUNK-HOME-var-run-searchpeers-excessive-disk-usage/m-p/313170#M58697 <P><STRONG>Problem:</STRONG><BR /> Excessive disk space consumed on indexer in $SPLUNK_HOME/var/run/searchpeers to the point where the indexer runs out of disk space. It appears that the bundle files are not being reaped.</P> Thu, 13 Jul 2017 20:11:22 GMT https://community.splunk.com/t5/Getting-Data-In/Indexer-s-SPLUNK-HOME-var-run-searchpeers-excessive-disk-usage/m-p/313170#M58697 rphillips_splk 2017-07-13T20:11:22Z https://community.splunk.com/t5/Getting-Data-In/Indexer-s-SPLUNK-HOME-var-run-searchpeers-excessive-disk-usage/m-p/313171#M58698 <P>If you are seeing this problem it is likely that you are hitting bug <CODE>SPL-140831</CODE> "Splunk not cleaning up $SPLUNK_HOME/var/run/searchpeers of .delta files and matching directories whose only non-empty subdirectory has the .index extension". This bug affects 6.5.x+ and will be fixed in 6.5.6+ and 6.6.3+</P> <P>The issue is that the bundle reaper deletes the bundle directory but lookup file indexing recreates it and the .delta bundle files don't get reaped after that. The bundle files will start accumulating on the indexer in $SPLUNK_HOME/var/run/searchpeers/ and can eventually fill up the disk.</P> <P>To work around the issue increase <CODE>max_memtable_bytes</CODE> on the indexers <CODE>limits.conf</CODE> to be greater than the largest lookup .csv file in a given .bundle file in /var/run/searchpeers.</P> <P>on indexers:<BR /> $SPLUNK_HOME/etc/system/local/limits.conf</P> <P>max_memtable_bytes = <BR /> * Maximum size, in bytes, of static lookup file to use an in-memory index for.<BR /> * Lookup files with size above max_memtable_bytes will be indexed on disk<BR /> * A large value results in loading large lookup files in memory leading to bigger <BR /> process memory footprint.<BR /> * Caution must be exercised when setting this parameter to arbitrarily high values!<BR /> * Default: 10000000 (10MB)</P> <P>This change requires a restart of the indexers</P> <P>If you have lookup .csv files larger than 10MB they will be indexed to disk on the indexer. Increasing from the default 10MB to a value larger than your largest lookup file will cause the file to be loaded into memory for the period a search process is using that lookup. If you do not need to send the lookup file in the bundle you can blacklist it via distsearch.conf on the search heads <A href="https://docs.splunk.com/Documentation/Splunk/6.6.2/DistSearch/Limittheknowledgebundlesize" target="_blank">https://docs.splunk.com/Documentation/Splunk/6.6.2/DistSearch/Limittheknowledgebundlesize</A><BR /> Lookup files are required to be sent to the indexer if you are using automatic lookups (<A href="https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Knowledge/Makeyourlookupautomatic" target="_blank">https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Knowledge/Makeyourlookupautomatic</A>)<BR /> or if you have data model accelerations enabled which are referencing the lookup in the DMA search.</P> <P>How do I know if my DMA search is referencing a lookup ?</P> <P>run the following search and you will see the search the data model acceleration is using and if the search contains a lookup reference:</P> <P><CODE>| rest splunk_server=local /services/datamodel/acceleration| fields title search | eval contains_lookup=if(like(search, "%lookup%"),1,0) | eval contains_lookup=case(contains_lookup=1,"yes",contains_lookup=0,"no")| table title search contains_lookup | search contains_lookup=yes</CODE></P> <P>Note: this search does not cover automatic lookups or lookups that might be referenced via a macro </P> <P>If you see a lookup reference in the search, you need to send that lookup to the indexers in the knowledge bundle so don't blacklist it.</P> Tue, 29 Sep 2020 14:55:01 GMT https://community.splunk.com/t5/Getting-Data-In/Indexer-s-SPLUNK-HOME-var-run-searchpeers-excessive-disk-usage/m-p/313171#M58698 rphillips_splk 2020-09-29T14:55:01Z https://community.splunk.com/t5/Getting-Data-In/Indexer-s-SPLUNK-HOME-var-run-searchpeers-excessive-disk-usage/m-p/313172#M58699 <P>Happened here too with Splunk 6.5.5</P> Wed, 06 Jun 2018 07:46:40 GMT https://community.splunk.com/t5/Getting-Data-In/Indexer-s-SPLUNK-HOME-var-run-searchpeers-excessive-disk-usage/m-p/313172#M58699 duartet 2018-06-06T07:46:40Z