https://community.splunk.com/t5/Knowledge-Management/Knowledge-bundle-size-issues/m-p/639358#M9374 <P>Hi All,</P><P>I have this error message on the SH in Splunk:<BR />{</P><P><SPAN>Knowledge bundle size=3525MB exceeds max limit=2048MB. Distributed searches are running against an outdated knowledge bundle. Please remove/disable files from knowledge bundle or increase maxBundleSize in distsearch.conf.</SPAN></P><P>}</P><P>What I did is increase the&nbsp;<SPAN>maxBundleSize in distsearch.conf :<BR />I did this command on the server:<BR />/opt/splunk/bin/splunk btool distsearch list --debug | grep maxBundleSize<BR />and the result is:<BR />/opt/splunk/etc/system/default/distsearch.conf&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; maxBundleSize = 2048<BR />So inside the&nbsp;/opt/splunk/etc/system/local/distsearch.conf I added the:<BR /><BR />[replicationSettings]<BR />maxBundleSize = 4000<BR /><BR />Restarted Splunk, and noticed that the first error message is gone, but a new Yellow warning appeared:<BR />{</SPAN></P><P><SPAN>The current bundle directory contains a large lookup file that might cause bundle replication fail. The path to the directory is /opt/splunk/var/run/InvestBank-SH-1-1681121119-1681121612.delta.</SPAN></P><P><SPAN>}<BR /></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="muradgh_0-1681123932468.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/24851i8B39503530125D0D/image-size/medium?v=v2&amp;px=400" role="button" title="muradgh_0-1681123932468.png" alt="muradgh_0-1681123932468.png" /></span></P><P><BR />So I went to this path to check what is going on there:<BR />cd&nbsp;/opt/splunk/var/run<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="muradgh_1-1681124580843.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/24852i40F0D23A6B76F55B/image-size/medium?v=v2&amp;px=400" role="button" title="muradgh_1-1681124580843.png" alt="muradgh_1-1681124580843.png" /></span></P><P>I have found 2 large files and one medium.<BR />Can someone please advise me on what to do past this point?&nbsp;</P><P>I have found someone posted to check the below search:<BR />index =_internal sourcetype=splunkd component=Archiver Archiving large_file=*<BR />| stats count latest(size_in_bytes) by large_file<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="muradgh_2-1681125073509.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/24853i405BAFD57399CE7A/image-size/medium?v=v2&amp;px=400" role="button" title="muradgh_2-1681125073509.png" alt="muradgh_2-1681125073509.png" /></span></P><P>I don't know if this has any relation to the subject.</P><P><BR /><BR />Please note that my Splunk environment is <STRONG>not</STRONG> a cluster.</P><P><SPAN>&nbsp;</SPAN></P> Mon, 10 Apr 2023 11:14:18 GMT muradgh 2023-04-10T11:14:18Z https://community.splunk.com/t5/Knowledge-Management/Knowledge-bundle-size-issues/m-p/639358#M9374 <P>Hi All,</P><P>I have this error message on the SH in Splunk:<BR />{</P><P><SPAN>Knowledge bundle size=3525MB exceeds max limit=2048MB. Distributed searches are running against an outdated knowledge bundle. Please remove/disable files from knowledge bundle or increase maxBundleSize in distsearch.conf.</SPAN></P><P>}</P><P>What I did is increase the&nbsp;<SPAN>maxBundleSize in distsearch.conf :<BR />I did this command on the server:<BR />/opt/splunk/bin/splunk btool distsearch list --debug | grep maxBundleSize<BR />and the result is:<BR />/opt/splunk/etc/system/default/distsearch.conf&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; maxBundleSize = 2048<BR />So inside the&nbsp;/opt/splunk/etc/system/local/distsearch.conf I added the:<BR /><BR />[replicationSettings]<BR />maxBundleSize = 4000<BR /><BR />Restarted Splunk, and noticed that the first error message is gone, but a new Yellow warning appeared:<BR />{</SPAN></P><P><SPAN>The current bundle directory contains a large lookup file that might cause bundle replication fail. The path to the directory is /opt/splunk/var/run/InvestBank-SH-1-1681121119-1681121612.delta.</SPAN></P><P><SPAN>}<BR /></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="muradgh_0-1681123932468.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/24851i8B39503530125D0D/image-size/medium?v=v2&amp;px=400" role="button" title="muradgh_0-1681123932468.png" alt="muradgh_0-1681123932468.png" /></span></P><P><BR />So I went to this path to check what is going on there:<BR />cd&nbsp;/opt/splunk/var/run<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="muradgh_1-1681124580843.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/24852i40F0D23A6B76F55B/image-size/medium?v=v2&amp;px=400" role="button" title="muradgh_1-1681124580843.png" alt="muradgh_1-1681124580843.png" /></span></P><P>I have found 2 large files and one medium.<BR />Can someone please advise me on what to do past this point?&nbsp;</P><P>I have found someone posted to check the below search:<BR />index =_internal sourcetype=splunkd component=Archiver Archiving large_file=*<BR />| stats count latest(size_in_bytes) by large_file<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="muradgh_2-1681125073509.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/24853i405BAFD57399CE7A/image-size/medium?v=v2&amp;px=400" role="button" title="muradgh_2-1681125073509.png" alt="muradgh_2-1681125073509.png" /></span></P><P>I don't know if this has any relation to the subject.</P><P><BR /><BR />Please note that my Splunk environment is <STRONG>not</STRONG> a cluster.</P><P><SPAN>&nbsp;</SPAN></P> Mon, 10 Apr 2023 11:14:18 GMT https://community.splunk.com/t5/Knowledge-Management/Knowledge-bundle-size-issues/m-p/639358#M9374 muradgh 2023-04-10T11:14:18Z https://community.splunk.com/t5/Knowledge-Management/Knowledge-bundle-size-issues/m-p/639363#M9375 <P>Look inside the large bundle files (they're just tarballs) to see what's making them so large.&nbsp; It's probably one or more huge lookup files.&nbsp; Make sure the lookups are expected to be that big as it's possible a bad search is appending rather than replacing data in the lookup.</P><P>If the lookup needs to be that large then remove it from the replication bundle ([repicationDenyList] in distsearch.conf) and distribute it to the indexers via another method.</P> Mon, 10 Apr 2023 12:24:34 GMT https://community.splunk.com/t5/Knowledge-Management/Knowledge-bundle-size-issues/m-p/639363#M9375 richgalloway 2023-04-10T12:24:34Z