Archive
Highlighted

Replicated scheduled search not removed

Path Finder

Hi,

I keep receiving the warning message related "Search peer xxxxxx03 has the following message: Dispatch Command: The number of search artifacts in the dispatch directory is higher than recommended (count=7948, warning threshold=5000) and could have an impact on search performance. Remove excess search artifacts using the "splunk clean-dispatch" CLI command, and review artifact retention policies in limits.conf and savedsearches.conf. You can also raise this warning threshold in limits.conf / dispatchdirwarning_size".

I keep cleaning the that SH (other 3 SH don't have problems) dispatch folders, but the job increases very fast. I figured out that the dispatch folder has about 5000 records of rsa_scheduler. Many are more 2-3 hours old which are strange.

So how can I know the Period of the scheduler search and where it is replicated from?
For example:
drwx------. 2 splunk splunk 263 Sep 16 14:03 rsaschedulernobodynmonRMD5ee48120c2dd6c8ccat156860640026400546F2A6F-BFB1-4954-9173-74A67615D481
drwx------. 2 splunk splunk 363 Sep 16 14:03
rsa
schedulernobodyuberAgent_RMD5b4e9f6a64f89a433at156856140015572_54E1D115-8124-4FE4-A9EB-5B4AADB08D33

Tks.

Tags (1)
0 Karma