- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: anyone successfully run clean-dispatch in 6.2....
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see a lot of info out in answers related to running clean-dispatch on standalone search heads and even one persons comments on running in a 6.0 or 6.1 search head pool. I'm wondering if anyone has experience running this on a 6.2+ search head cluster where replication factor might affect it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, but you can avoid the problem entirely by setting a lower TTL for search artifacts. Take a look at: http://blogs.splunk.com/2012/09/12/how-long-does-my-search-live-default-search-ttl/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Late follow up. We went ahead and ran this on our 6.2.6 search head cluster and it worked like a charm. As others have stated in their answers, you must create and specify a directory on the same filesystem. Once the command finishes, you can safely delete the newly created dispatch directory as it's only those items older than you specified in the command. You have to run the command on each node of your SHC also. We did not stop our cluster or anything.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, but you can avoid the problem entirely by setting a lower TTL for search artifacts. Take a look at: http://blogs.splunk.com/2012/09/12/how-long-does-my-search-live-default-search-ttl/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, we had someone set a particularly chatty alert to retain fired alerts for 30 days causing a build up of artifacts. We didn't pick it up until we started getting warning messages that our dispatch directory was north of 2000.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll accept this as an answer as I don't want to select my own answer below. It is in fact a valid solution to avoid the situation altogether, however, if you find yourself in need of running the command as I did, then check my answer below.
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
