Re: Knowledge Bundle Cache?

Strype · ‎04-16-2013

I had two large apps causing my knowledge bundle to time out. I deleted both app folders in etc apps and in etc user admin. The knowledge bundle has not shrunk and the warnings and errors continue:

04-16-2013 14:39:49.268 -0500 WARN DistributedBundleReplicationManager - bundle replication to 1 peer(s) took too long (10624ms), bundle file size=45110KB, replication_id=1366141178host=SERVER Options|

source=Splunk Home\var\log\splunk\splunkd.log Options|

component=DistributedBundleReplicationManager Options|

log_level=WARN Options

I did this same thing on the test system and it worked. On the live system, it doesn't. The knowledge bundle shouldn't be more than a couple of MB now.

Anybody know?

Thanks,

u07t04 · ‎08-01-2013

Did this worked for you? Please let me know.Thanks!

mookiie2005 · ‎07-02-2013

Look at your distsearch.conf file in: Splunk_home\etc\apps\windows\local

Add the stanza:

[replicationBlacklist]
nontsyslogmappings = apps\windows\lookups\ntsyslog_mappings.csv

this will blacklist the above file (ntsyslog_mappings.csv) so it is not included in the knowledge bundle. You can make the name anything you like for each file you wish to backlist. Run a search on your etc/apps, etc/system, etc/users and blacklist large files that are not needed for the searches. Be careful not to get over zealous in what you blacklist. Hope this helps you.

Strype · ‎04-17-2013

I did. I think I have a solution. I'm going to add shareBundle=false into the distsearch.conf and restart. Then I'll change it to true and restart. I bet that will purge that old bundle info out of there. I'll post if it works.

kristian_kolb · ‎04-16-2013

restart splunkd?

Knowledge Bundle Cache?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!