Archive

What is the use for these bundle directories?

Contributor

Hello,

I am working with a full distributed architecture: Deployement server, multi-site index cluster, search head cluster, ...
I am having some troubles understanding what are the use of each bundle residing in different Splunk directories.

Can you help me understanding the use of these folders ?

  • $SPLUNK_HOME/var/run/searchpeers/ ===> Knowledge bundle distributed by Search Head (captain?)
  • $SPLUNK_HOME/var/run/splunk/ ===> Configuration bundle? If so, why aren't they removed after being extracted?
  • $SPLUNK_HOME/var/run/splunk/cluster/remote-bundle/ ===> ???
  • $SPLUNK_HOME/var/run/splunk/deploy/ ===> ???
  • $SPLUNK_HOME/var/run/splunk/dispatch/ ===> Job on the search head

Thank you 🙂

0 Karma
1 Solution

Splunk Employee
Splunk Employee

If memory serves me right...

../searchpeers Contains search bundles from remote splunk systems that are searching against this peer.
../splunk is where we generate our bundles on the SH that are going to be sent to the remote peers
../cluster/remote-bundle is where a Cluster Master sticks the configuration bundles on the indexers
../deploy Contains Deployer and Deployment Server bundles that are going to be pushed to remote hosts
../dispatch Contains all the information about Searches that are running on the SH/IDX. This would be filled with data on both the SH and the Indexers

View solution in original post

Splunk Employee
Splunk Employee

If memory serves me right...

../searchpeers Contains search bundles from remote splunk systems that are searching against this peer.
../splunk is where we generate our bundles on the SH that are going to be sent to the remote peers
../cluster/remote-bundle is where a Cluster Master sticks the configuration bundles on the indexers
../deploy Contains Deployer and Deployment Server bundles that are going to be pushed to remote hosts
../dispatch Contains all the information about Searches that are running on the SH/IDX. This would be filled with data on both the SH and the Indexers

View solution in original post

Contributor

Thank you!

Could you explain why the bundle is not delete after being extracted and applied on the instance?

0 Karma

Splunk Employee
Splunk Employee

Which bundle are you referring to here?

Most bundles are eventually reaped. We leave the Clustering Bundles there until a new one is recieved.

Search bundles (full) stay there and delta's are applied until a new full is required. We eventually reap these as well (at least we are supposed to)

Dispatch folders are also supposed to be reaped as well.

So if you have a specific issue tell me exactly what it is you are seeing and I will try and help

0 Karma

Contributor

What do you mean by "reap" ?

I am just suprised that there are old bundles in my ./splunk folder, as they are no longer useful.

0 Karma

Splunk Employee
Splunk Employee

Reap means to remove. On occasion one might get left behind. If that is the case delete it and move on. If however you end up with lots of items that are not reaping for some reason, I would suggest opening a support case.

0 Karma

Contributor

Anyone, please? 🙂

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!