Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Changing path or purging data from /opt/splunk/var/run/splunk/dispatch

RVDowning
Contributor
‎04-06-2012 07:18 AM

My question is related to this one: http://splunk-base.splunk.com/answers/2205/can-i-change-the-path-of-the-dispatch-directory

I am getting the warning message: The minimum free disk space (2000MB) reached for /opt/splunk/var/run/splunk/dispatch

Namely, I am also running into disk space issues with only 1.5 GB remaining in the partition in which /opt/splunk/var/run/splunk/dispatch resides (60% full). I set the indexing path to /splunk/data with 100 GB available and is only 4% full. Can I change the path of the dispatch directory (using splunk 4.3 on Linux)? Perhaps I don't understand the nature of what is in the dispatch directory. Are these just saved searches? Are these temporary intermediate results? Can this data just be removed? Since the data is still there in the large partition presumably data can always be found again.

Thanks!
Rich

Reply

jbsplunk
Splunk Employee
Splunk Employee
‎04-06-2012 12:53 PM

You don't have the ability to change where search artifacts are stored, they'll always be in this directory. As noted in the post you reference, you may make this directory into a symbolic link where you have more space available.

These aren't just saved searches, they are ad-hoc searches, and it isn't exactly correct to say they are the searches. What is stored in this folder are the search artifacts, and these artifacts make up the search results. Once the artifacts expire because the TTL for a particular job has been reached, the results will be reaped and the folder for that job will be removed. You may delete anything you'd like in this folder, the only effect you'll see on product functionality is that the results of the searches which you remove the the artifacts for will no longer be available.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...