Solved: Re: Why do I often see error "Asynchronous bundle ...

splunkdevabhi · ‎02-15-2016

I see these bundle replication errors very often. Is there a solution or workaround?

02-15-2016 22:56:38.636 -0800 ERROR DistributedBundleReplicationManager - Unexpected problem while uploading bundle: Unknown write error
02-15-2016 22:56:38.636 -0800 ERROR DistributedBundleReplicationManager - Unable to upload bundle to peer named xyz with uri=https://xx.xx.xx.xx:8089.
02-15-2016 22:56:38.637 -0800 WARN  DistributedBundleReplicationManager - Asynchronous bundle replication to 2 peer(s) succeeded; however it took too long (longer than 10 seconds): elapsed_ms=37649, tar_elapsed_ms=23682, bundle_file_size=939470KB, replication_id=1455605760, replication_reason="async replication allowed"

DavidHourani · ‎05-03-2016

Some suggestions:

1- Check the permissions of your bundle files to make sure your SH can access and push them.
2- Make sure your bundle doesn't exceed the limit (In your logs I see that the size is 939470KB, default size is 800MB so you're exceeding it).
3- Make sure you check the content of your bundle using the ID.

Regards,
David

View solution in original post

DavidHourani · ‎05-03-2016

Some suggestions:

1- Check the permissions of your bundle files to make sure your SH can access and push them.
2- Make sure your bundle doesn't exceed the limit (In your logs I see that the size is 939470KB, default size is 800MB so you're exceeding it).
3- Make sure you check the content of your bundle using the ID.

Regards,
David

lycollicott · ‎05-03-2016

Is your bundle being sent to a remote site across a site-to-site VPN tunnel?

DavidHourani · ‎04-28-2016

Any solution ? im having the same problem..

Why do I often see error "Asynchronous bundle replication to 2 peer(s) succeeded; however it took too long..." and how do I fix this?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?