Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Forced bundle replication failed. Reverting to old behavior - using most recent bundles on all

vzabawski
Path Finder
‎09-14-2021 02:44 AM

Hello everyone. I'm getting Forced bundle replication failed. Reverting to old behavior - using most recent bundles on all on a search head, and I'm not sure how to fix this. I excluded heavy files from the bundle, also restarted the search head, but nothing changes. Where should I dig? I wasn't able to find this error message in Splunk documentation and on the internet. The closest topic on Splunk answers was related to search head clustering, but since I wasn't setting up SH clustering, I guess it's not applicable.

Additional info. Before the issue occurred, I've noticed that disk usage on indexers went to 100%. I solved it by deleting data from /opt/splunk/var/run/searchpeers (except the latest files).

My environment:

- 4 indexer VMs.

- 2 search head VMs (not clustered, just testing Splunk 7 and Splunk 8 in parallel). 4 indexers are connected as distributed search peers to each of those search heads.

- No deployment server in use.

Sometimes network connection is not good between indexers and search head, so maybe it contributes somehow.

Any suggestions and ideas appreciated.

 

Labels (3)
Reply

codebuilder
Influencer
‎09-14-2021 12:22 PM

Try cycling the index master, then a rolling restart of the indexer cluster. Once the cluster is back up try to re-validate the new bundle via the master.

If that doesn't work, make a small change in your bundle somewhere like a add/modify a readme text file, etc.
That's enough to cause the master to see it as a new bundle and re-validate.

Using the GUI on the master is actually the easiest/best way to do the restart, cycling, and bundle validation/push, in my opinion. Just fyi.

----
An upvote would be appreciated and Accept Solution if it helps!
Reply

vzabawski
Path Finder
‎09-15-2021 12:23 AM

Thanks for your reply. What should I do if it isn't an indexer cluster? Those indexers are standalone, so there's no replication going on, and no indexer master is present.

Anyway, I think restarting indexers might be a good idea, so I'll try it.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...