Solved: because of a symlink size of bundle file is 0 on s...

imrago · ‎12-22-2011

Hi,

I have a simple setup, one searchhead and one indexer. Starting from the latest upgrade to 4.2.4 the size of bundle file on the searchhead is always zero and it is not being replicated to the indexer.
How could I fix this or how could I find the cause of the problem?

imrago · ‎12-27-2011

I solved the problem by creating a blacklist for the directory containing the symlink, the following post helped me a lot:

http://splunk-base.splunk.com/answers/36774/distributed-search-knowledge-bundle-regex

View solution in original post

imrago · ‎12-27-2011

I solved the problem by creating a blacklist for the directory containing the symlink, the following post helped me a lot:

http://splunk-base.splunk.com/answers/36774/distributed-search-knowledge-bundle-regex

imrago · ‎12-23-2011

I found the cause of the problem : a symbolic link in the /opt/splunk/etc/apps/applicationname/appserver/static folder. It was working in earlier versions (4.2.2) . Could it be a bug?

because of a symlink size of bundle file is 0 on searchhead in /opt/splunk/var/run/

.conf23 Registration is Now Open!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control