Deployment Architecture
Highlighted

anyone successfully run clean-dispatch in 6.2.X search head cluster?

Builder

I see a lot of info out in answers related to running clean-dispatch on standalone search heads and even one persons comments on running in a 6.0 or 6.1 search head pool. I'm wondering if anyone has experience running this on a 6.2+ search head cluster where replication factor might affect it.

0 Karma
Highlighted

Re: anyone successfully run clean-dispatch in 6.2.X search head cluster?

Influencer

No, but you can avoid the problem entirely by setting a lower TTL for search artifacts. Take a look at: http://blogs.splunk.com/2012/09/12/how-long-does-my-search-live-default-search-ttl/

View solution in original post

Highlighted

Re: anyone successfully run clean-dispatch in 6.2.X search head cluster?

Builder

Yeah, we had someone set a particularly chatty alert to retain fired alerts for 30 days causing a build up of artifacts. We didn't pick it up until we started getting warning messages that our dispatch directory was north of 2000.

0 Karma
Highlighted

Re: anyone successfully run clean-dispatch in 6.2.X search head cluster?

Builder

I'll accept this as an answer as I don't want to select my own answer below. It is in fact a valid solution to avoid the situation altogether, however, if you find yourself in need of running the command as I did, then check my answer below.

0 Karma
Highlighted

Re: anyone successfully run clean-dispatch in 6.2.X search head cluster?

Builder

Late follow up. We went ahead and ran this on our 6.2.6 search head cluster and it worked like a charm. As others have stated in their answers, you must create and specify a directory on the same filesystem. Once the command finishes, you can safely delete the newly created dispatch directory as it's only those items older than you specified in the command. You have to run the command on each node of your SHC also. We did not stop our cluster or anything.

0 Karma