I had two large apps causing my knowledge bundle to time out. I deleted both app folders in etc apps and in etc user admin. The knowledge bundle has not shrunk and the warnings and errors continue:
04-16-2013 14:39:49.268 -0500 WARN DistributedBundleReplicationManager - bundle replication to 1 peer(s) took too long (10624ms), bundle file size=45110KB, replicationid=1366141178host=SERVER Options|
source=Splunk Home\var\log\splunk\splunkd.log Options|
I did this same thing on the test system and it worked. On the live system, it doesn't. The knowledge bundle shouldn't be more than a couple of MB now.
I did. I think I have a solution. I'm going to add shareBundle=false into the distsearch.conf and restart. Then I'll change it to true and restart. I bet that will purge that old bundle info out of there. I'll post if it works.
Look at your distsearch.conf file in: Splunk_home\etc\apps\windows\local
Add the stanza:
nontsyslogmappings = apps\windows\lookups\ntsyslog_mappings.csv
this will blacklist the above file (ntsyslog_mappings.csv) so it is not included in the knowledge bundle. You can make the name anything you like for each file you wish to backlist. Run a search on your etc/apps, etc/system, etc/users and blacklist large files that are not needed for the searches. Be careful not to get over zealous in what you blacklist. Hope this helps you.