How do bundles work with the forwarders?

ddrillic · ‎06-28-2019

All along we spoke about bundles on the indexers and SHs, but yesterday my colleague mentioned to me that they are used also with the forwarders. I believe the bundles reside at C:\opt\splunk\splunkforwarder\var\run on our windows forwarders.

Any information about it?

richgalloway · ‎07-04-2019

The bundles sent from search head to indexer are not sent anywhere else.
Search heads do not communicate with forwarders.
Forwarders send data to indexers, but that is not a "bundle".
Deployment Servers (which can be part of an SH instance) communicate with forwarders to tell them which apps to download. These are not "bundles", either.

---
If this reply helps you, Karma would be appreciated.

ddrillic · ‎07-08-2019

Not sure about the terminology but I see the following -

/monitor/splunkforwarder-linux/var/run/<app>
$ \ls -tlr
total 1252
-rw-------. 1 splunknu dce 1239040 May 16 11:15 Splunk_TA_nix-1558023151.bundle
-rw-------. 1 splunknu dce   40960 Jun 14 09:38 <app>-1560523046.bundle

And by removing this *.bundle file, the deployment server sends a new one.

richgalloway · ‎07-09-2019

Those are the apps downloaded by the forwarder from the DS. They're not usually referred to as bundles, but I see that is what the forwarder calls them. Thanks for the education!

---
If this reply helps you, Karma would be appreciated.

ddrillic · ‎07-09-2019

Thank you @richgalloway for all your help - it was interesting to see these *.bundle files on the forwarder ; -)

ddrillic · ‎07-17-2019

The following mentions the *.bundle files but not their var/run/<app> location - Extended example: Deploy configurations to several forwarders

In the page, we can search for fwd_to_splunk1-timestamp.bundle.

How do bundles work with the forwarders?

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!