https://community.splunk.com/t5/Getting-Data-In/Controlling-dispatch-directory-growth/m-p/50882#M9756 <P>Hi,</P> <P>We have a continual issue in our environment with the $SPLUNK_HOME/var/run/dispatch directory growing out of control – constantly above 2000 directories and decreasing system performance.</P> <P>There are 2 usecases that seem to cause the biggest issue:<BR /> 1. Realtime searches that alert frequently. In this case I see that a new result(and directory) is created every 1 -2 minutes. This has the ability to create up hundreds of directories within a few hours. Most of these realtime alerts are already restricted to a 24 hour retention, however this doesn’t help if alerts are triggered all night, then there are easily 500+ directories by the morning for just one search...</P> <OL> <LI> Scheduled searches that are setup to executed frequently with a few days retention. We recently had a user setup a search at 5 minute intervals with a 30 day retention… This created a slow growth of 1152 directories over 4 days....</LI> </OL> <P>Between these two usecases we often have Splunk exceeding 3000+ directories quite freqently.</P> <P>I’m curious how other people are managing this?</P> <P>In some circumstances it makes sense to retain results for 30 days; in the case of a daily search.<BR /> It also makes sense for critical monitoring to have frequent alerts. However, a combination of both creates too many directories in dispatch for Splunk to operate efficiently.</P> <P>Is there a mechanism to enforce job retention to a particular user role? ie 24hours only</P> <P>Is there any mechanism to alter how the dispatch directory operates? Even sub folders per app or per user would really help in this case…</P> <P>Mark</P> Wed, 05 Sep 2012 00:05:01 GMT mark 2012-09-05T00:05:01Z https://community.splunk.com/t5/Getting-Data-In/Controlling-dispatch-directory-growth/m-p/50882#M9756 <P>Hi,</P> <P>We have a continual issue in our environment with the $SPLUNK_HOME/var/run/dispatch directory growing out of control – constantly above 2000 directories and decreasing system performance.</P> <P>There are 2 usecases that seem to cause the biggest issue:<BR /> 1. Realtime searches that alert frequently. In this case I see that a new result(and directory) is created every 1 -2 minutes. This has the ability to create up hundreds of directories within a few hours. Most of these realtime alerts are already restricted to a 24 hour retention, however this doesn’t help if alerts are triggered all night, then there are easily 500+ directories by the morning for just one search...</P> <OL> <LI> Scheduled searches that are setup to executed frequently with a few days retention. We recently had a user setup a search at 5 minute intervals with a 30 day retention… This created a slow growth of 1152 directories over 4 days....</LI> </OL> <P>Between these two usecases we often have Splunk exceeding 3000+ directories quite freqently.</P> <P>I’m curious how other people are managing this?</P> <P>In some circumstances it makes sense to retain results for 30 days; in the case of a daily search.<BR /> It also makes sense for critical monitoring to have frequent alerts. However, a combination of both creates too many directories in dispatch for Splunk to operate efficiently.</P> <P>Is there a mechanism to enforce job retention to a particular user role? ie 24hours only</P> <P>Is there any mechanism to alter how the dispatch directory operates? Even sub folders per app or per user would really help in this case…</P> <P>Mark</P> Wed, 05 Sep 2012 00:05:01 GMT https://community.splunk.com/t5/Getting-Data-In/Controlling-dispatch-directory-growth/m-p/50882#M9756 mark 2012-09-05T00:05:01Z https://community.splunk.com/t5/Getting-Data-In/Controlling-dispatch-directory-growth/m-p/50883#M9757 <P>You should simply change the retention periods of your saved searches. They are controlled by the <CODE>ttl</CODE> or <CODE>timeout</CODE> parameter, though depending on how the search is scheduling, there are many places the value may be set or overridden. See the savedsearches.conf and alert_actions.conf files.</P> <P>As for users, you can use roles to limit the amount of <EM>space</EM> a user uses, which indirectly should limit the number of jobs they keep around. </P> Wed, 05 Sep 2012 01:56:42 GMT https://community.splunk.com/t5/Getting-Data-In/Controlling-dispatch-directory-growth/m-p/50883#M9757 gkanapathy 2012-09-05T01:56:42Z https://community.splunk.com/t5/Getting-Data-In/Controlling-dispatch-directory-growth/m-p/50884#M9758 <P>Thanks for the answer.. but as someone new to splunk.. my goodness there are a million savedsearches.conf which one?</P> Fri, 06 May 2016 14:44:26 GMT https://community.splunk.com/t5/Getting-Data-In/Controlling-dispatch-directory-growth/m-p/50884#M9758 mendesjo 2016-05-06T14:44:26Z https://community.splunk.com/t5/Getting-Data-In/Controlling-dispatch-directory-growth/m-p/50885#M9759 <P>Go in to the app which is having maximum searches or least useful. In its local directory, make a limits.conf and update the ttl value.</P> <P>ttl = <BR /> * The time to live (ttl), in seconds, of the cache for the results of a given <BR /> subsearch.<BR /> * Do not set this below 120 seconds.<BR /> * See the definition in the [search] stanza under the “TTL” section for more <BR /> details on how the ttl is computed.<BR /> * Default: 300 (5 minutes)</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Limitsconf">https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Limitsconf</A></P> Sun, 06 Jan 2019 21:41:42 GMT https://community.splunk.com/t5/Getting-Data-In/Controlling-dispatch-directory-growth/m-p/50885#M9759 kamal_jagga 2019-01-06T21:41:42Z