We have a distributed Splunk environment with two search heads, four indexers in two clusters, and a deployment server. I set up the Splunk App for Web Analytics on the search heads, configured some web sites, and began running the data model builds described in the Setup steps. As this ran, we started seeing bundle replication warnings, and the search head running the data model build started to fill with very large bundle files, @ 1 GB a piece.
From Splunk logs:
07-31-2015 13:32:36.583 -0400 ERROR DistributedBundleReplicationManager - Unexpected problem while uploading bundle: Unknown write error
07-31-2015 13:32:36.583 -0400 ERROR DistributedBundleReplicationManager - Unable to upload bundle to peer named server1 with uri=https://11.22.33.44:8089.
Try the newest version of the app (1.7) which limits the size of the lookup. I suspect this is issue has to do with the size of the lookup which is causing issues when sending out to the indexers in a distributed environment.
j
I am also seeing the same issue with the 1.5 version of the app and Splunk enterprise 6.3. Bundle files filling up the volume on the search head this app is running on.
Any advice?
any solutions ??