Solved: because of a symlink size of bundle file is 0 on s...

imrago · ‎12-22-2011

Hi,

I have a simple setup, one searchhead and one indexer. Starting from the latest upgrade to 4.2.4 the size of bundle file on the searchhead is always zero and it is not being replicated to the indexer.
How could I fix this or how could I find the cause of the problem?

imrago · ‎12-27-2011

I solved the problem by creating a blacklist for the directory containing the symlink, the following post helped me a lot:

http://splunk-base.splunk.com/answers/36774/distributed-search-knowledge-bundle-regex

View solution in original post

imrago · ‎12-27-2011

I solved the problem by creating a blacklist for the directory containing the symlink, the following post helped me a lot:

http://splunk-base.splunk.com/answers/36774/distributed-search-knowledge-bundle-regex

imrago · ‎12-23-2011

I found the cause of the problem : a symbolic link in the /opt/splunk/etc/apps/applicationname/appserver/static folder. It was working in earlier versions (4.2.2) . Could it be a bug?

because of a symlink size of bundle file is 0 on searchhead in /opt/splunk/var/run/

Harnessing Splunk’s Federated Search for Amazon S3

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases