- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Can you help us with understand how Splunk manages...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Our Splunk system was down this morning, and we noticed that the issue was that lots of bundles were being generated and kept on the search-heads (the problem was not due to overly large bundles). We also had two indexer problem, one where /opt/splunk/var was running out of space and another that was unreachable due to network issues.
I have some questions on how Splunk manages bundles:
1) What happens if a search-peer is down/unreachable? Will splunk try to keep sending the bundle? Will it keep a copy of that bundle until it can send it?
2) Is there a way to limit how many bundles the search-heads keep?
3) Is there a way to limit the size of the bundles?
4) Is there a way to limit how often bundles get created? Are there any cons to limiting how often they get created?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi There,
1) What happens if a search-peer is down/unreachable? Will splunk try to keep sending the bundle? Will it keep a copy of that bundle until it can send it?
Doesn't keep trying the send the bundle, only sends it when you run a search and peer requires bundle, in that case it's sent to all active peers. More info here : http://docs.splunk.com/Documentation/Splunk/7.2.0/DistSearch/Whatsearchheadssend
2) Is there a way to limit how many bundles the search-heads keep?
No.
3) Is there a way to limit the size of the bundles?
Yes, you can do that by limiting the number of files included in the bundle. More info here:
http://docs.splunk.com/Documentation/Splunk/7.2.0/DistSearch/Limittheknowledgebundlesize
4) Is there a way to limit how often bundles get created? Are there any cons to limiting how often they get created?
No.
Have a look at this answer too, could be helpful : https://answers.splunk.com/answers/458837/how-do-bundles-work.html
And this conf talk : https://conf.splunk.com/files/2017/slides/pushing-configuration-bundles-in-an-indexer-cluster.pdf
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi There,
1) What happens if a search-peer is down/unreachable? Will splunk try to keep sending the bundle? Will it keep a copy of that bundle until it can send it?
Doesn't keep trying the send the bundle, only sends it when you run a search and peer requires bundle, in that case it's sent to all active peers. More info here : http://docs.splunk.com/Documentation/Splunk/7.2.0/DistSearch/Whatsearchheadssend
2) Is there a way to limit how many bundles the search-heads keep?
No.
3) Is there a way to limit the size of the bundles?
Yes, you can do that by limiting the number of files included in the bundle. More info here:
http://docs.splunk.com/Documentation/Splunk/7.2.0/DistSearch/Limittheknowledgebundlesize
4) Is there a way to limit how often bundles get created? Are there any cons to limiting how often they get created?
No.
Have a look at this answer too, could be helpful : https://answers.splunk.com/answers/458837/how-do-bundles-work.html
And this conf talk : https://conf.splunk.com/files/2017/slides/pushing-configuration-bundles-in-an-indexer-cluster.pdf
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think we had this same problem. Please check this thread out it seemed to help us:
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
