Hello,
I am working with a full distributed architecture: Deployement server, multi-site index cluster, search head cluster, ...
I am having some troubles understanding what are the use of each bundle residing in different Splunk directories.
Can you help me understanding the use of these folders ?
Thank you 🙂
If memory serves me right...
../searchpeers Contains search bundles from remote splunk systems that are searching against this peer.
../splunk is where we generate our bundles on the SH that are going to be sent to the remote peers
../cluster/remote-bundle is where a Cluster Master sticks the configuration bundles on the indexers
../deploy Contains Deployer and Deployment Server bundles that are going to be pushed to remote hosts
../dispatch Contains all the information about Searches that are running on the SH/IDX. This would be filled with data on both the SH and the Indexers
If memory serves me right...
../searchpeers Contains search bundles from remote splunk systems that are searching against this peer.
../splunk is where we generate our bundles on the SH that are going to be sent to the remote peers
../cluster/remote-bundle is where a Cluster Master sticks the configuration bundles on the indexers
../deploy Contains Deployer and Deployment Server bundles that are going to be pushed to remote hosts
../dispatch Contains all the information about Searches that are running on the SH/IDX. This would be filled with data on both the SH and the Indexers
Thank you!
Could you explain why the bundle is not delete after being extracted and applied on the instance?
Which bundle are you referring to here?
Most bundles are eventually reaped. We leave the Clustering Bundles there until a new one is recieved.
Search bundles (full) stay there and delta's are applied until a new full is required. We eventually reap these as well (at least we are supposed to)
Dispatch folders are also supposed to be reaped as well.
So if you have a specific issue tell me exactly what it is you are seeing and I will try and help
What do you mean by "reap" ?
I am just suprised that there are old bundles in my ./splunk folder, as they are no longer useful.
Reap means to remove. On occasion one might get left behind. If that is the case delete it and move on. If however you end up with lots of items that are not reaping for some reason, I would suggest opening a support case.
Anyone, please? 🙂